反序列化入门
Posted vstar-o
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了反序列化入门相关的知识,希望对你有一定的参考价值。
序列化及魔术函数例子
<?php
$first=4;
$second=serialize($first);
echo $second;//i:4; 类型:i int 值:4
echo "<br/>";
echo ‘-----------------------------------------------‘;
echo "<br/>";
class GWHTeam{
public $web;
public $pwn;
private $crypto;//
protected $misc;
//O:7:"GWHTeam":4:{s:3:"web";s:4:"2018";s:3:"pwn";N;s:15:"GWHTeamcrypto";N;s:7:"*misc";N;}
//x00 + * + x00 + 变量名 -> 反序列化为protected变量
//x00 + 类名 + x00 + 变量名 -> 反序列化为private变量
function __construct($web){
echo ‘welcome to gwht!<br/>‘;
$this->web=$web;
echo $this->web;
echo "<br/>";
}
function __destruct(){
echo "<br/>";
echo ‘this is destruct‘;
}
function __toString(){
return "it must return a str value<br />";
}
function __invoke($a,$b){
echo ‘my name is ‘. $a,‘,i like ‘. $b;
}
}
$a=new GWHTeam(‘2018‘,‘2019‘); //construct
echo $a; //toString
echo "<br/>";
$a(‘vstar‘,‘GWHT‘); //invoke
echo "<br/>";
/* __construct()//当一个对象创建时被调用
__destruct() //当一个对象销毁时被调用
__toString() //当一个对象被当作一个字符串使用
__get()//获得一个类的成员变量时调用,读取不可访问属性的值时,__get() 会被调用。
也就是,当想要获取一个类的私有属性,或者获取一个类并为定义的属性时。该魔术方法会被调用。
__set()//设置一个类的成员变量时调用
__invoke()//调用函数的方式调用一个对象时的回应方法
__call()//当调用一个对象中的不能用的方法的时候就会执行这个函数
__sleep() 在对象在被序列化之前运行
__wakeup() 将在反序列化之后立即被调用(通过序列化对象元素个数不符来绕过)*/
echo "<br/>";
echo ‘---------------------------------------------<br/>‘;
function __wakeup(){
echo ‘this is __wakeup‘;
}
echo serialize($a);
?>
序列化例题1
<?php
error_reporting(0);
include "flag.php";
$KEY = "D0G!!!";
$str = $_GET[‘str‘];
if (unserialize($str) === "$KEY")
{
echo "$flag";
}
show_source(__FILE__);
?>
序列化例题2
<?php
class Student
{
public $score = 0;
public function __destruct()
{
echo "__destruct working";
if($this->score==10000) {
$flag = "******************";
echo $flag;
}
}
}
$exp = $_GET[‘exp‘];
echo "<br>";
unserialize($exp);
?>
序列化例题3
<?php
$select = $_GET[‘select‘];
$res=unserialize(@$select);
error_reporting(0);
class Name{
private $username = ‘nonono‘;
private $password = ‘yesyes‘;
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = ‘guest‘;
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === ‘admin‘) {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can‘t give you the flag!";
die();
}
}
}
?>
题解
<?php
$c =‘D0G!!!‘;
echo serialize($c);
$d=‘s:6:"D0G!!!";‘;
echo unserialize($d);
---------------------------------------------------------
class Student
{
public $score = 1000;
public function __destruct()
{
echo "__destruct working";
if($this->score==10000) {
$flag = "******************";
echo $flag;
}
}
}
$a=new Student();
echo serialize($a);
-------------------------------------------------------
$a = new Name(‘admin‘,100);
echo serialize($a);
//绕过__wakeup
?>
以上是关于反序列化入门的主要内容,如果未能解决你的问题,请参考以下文章