今天做题，序列化忘得一干二净
重新学习下
序列化函数：serialize()
反序列化函数：unserialize()

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<?php
show_source(__FILE__);
$str="hahaha";
$arr=array('name' =>'aoo' ,'age'=>20 );
class a{
public $a=1;
}
class b{
public $b=1;
public function seta(){
$b=0;
}
}
$obj=new b();
$obj->seta();
echo "字符:".serialize($str)."<br>";
echo "数组:".serialize($arr)."<br>";
echo "对象序列化:".serialize($obj);
?>

php中有一类特殊的方法叫“Magicfunction”
构造函数__construct()：当对象创建(new)时会自动调用。
析构函数__destruct()和__wakeup()：当对象被销毁时会自动调用。
例题：
<?php
show_source(__FILE__);
class xu{
var $test = 'abcd';
function __wakeup(){
$fp = fopen("1.php","w") ;
fwrite($fp,$this->test);
fclose($fp);
}
}
$class3 = $_GET['test'];
print_r($class3);
echo "</br>";
$class3_unser = unserialize($class3);
require "1.php";
思考一下怎么向1.php中写入我们想要的东西，比如写入phpinfo

在反序列化字符串时，属性个数的值大于实际属性个数时，会跳过 __wakeup()函数的执行
如：O:3:"xul":1:{s:4:"test";s:18:"<?php phpinfo();?>";}
改为：O:3:"xul":2:{s:4:"test";s:18:"<?php phpinfo();?>";}
攻防世界unserialize3
class xctf{
public $flag = '111';
public function __wakeup(){
exit('bad requests');
}
?code=

攻防世界：Web_php_unserialize
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
if (isset($_GET['var'])) {
$var = base64_decode($_GET['var']);
if (preg_match('/[oc]:\d+:/i', $var)) {
die('stop hacking!');
}else {
@unserialize($var);
}
} else {
highlight_file("index.php");
}
?>

上一题
private 声明的字段为私有字段，只在所声明的类中可见，因此私有字段的字段名在序列化时，类名和字段名前面都会加上\0的前缀。字符串长度也包括所加前缀的长度。其中 \0 字符也是计算长度的。
做
[极客大挑战 2019]PHP

等今天下午考完信息安全数学基础，我也要玩ctf

贴吧死了好久了，好不容易有人发

PHP在调用一个对象中不存在的方法时会调用call方法

在PHP7版本以上时如果存在unserialize方法就执行unserialize 方法跳过weakup

不错

[网鼎杯 2020 青龙组]AreUSeria
lz

<?php
include("flag.php");
highlight_file(__FILE__);
class FileHandler {
protected $op;
protected $filename;
protected $content;
function __construct() {
$op = "1";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
$this->process();
}
public function process() {
if($this->op == "1") {
$this->write();
} else if($this->op == "2") {
$res = $this->read();
$this->output($res);
} else {
$this->output("Bad Hacker!");
}
}
private function write() {
if(isset($this->filename) && isset($this->content)) {
if(strlen((string)$this->content) > 100) {
$this->output("Too long!");
die();
}
$res = file_put_contents($this->filename, $this->content);
if($res) $this->output("Successful!");
else $this->output("Failed!");
} else {
$this->output("Failed!");
}
}
private function read() {
$res = "";
if(isset($this->filename)) {
$res = file_get_contents($this->filename);
}
return $res;
}
private function output($s) {
echo "[Result]: <br>";
echo $s;
}
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
}
function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
if(isset($_GET{'str'})) {
$str = (string)$_GET['str'];
if(is_valid($str)) {
$obj = unserialize($str);
}
}

[MRCTF2020]Ezpop
<?php
//flag is in flag.php
//WTF IS THIS
//And Crack It!
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
return $this->str->source;
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){
$this->p = array();
}
public function __get($key){
$function = $this->p;
return $function();
}
}
if(isset($_GET['pop'])){
@unserialize($_GET['pop']);
}
else{
$a=new Show;
highlight_file(__FILE__);
}

反序列化字符逃逸可以做下面几个题目
buuctf：
[安洵杯 2019]easy_serialize_php
piapiapia
bugku：
newphp