反序列化入门

序列化及魔术函数例子

<?php
    $first=4;
    $second=serialize($first);
    echo $second;//i:4; 类型：i int 值：4
    echo "<br/>";
    echo '-----------------------------------------------';
    echo "<br/>";
    class GWHTeam{
        public $web;
        public $pwn;
        private $crypto;//
        protected $misc;
        //O:7:"GWHTeam":4:{s:3:"web";s:4:"2018";s:3:"pwn";N;s:15:"GWHTeamcrypto";N;s:7:"*misc";N;}
        //x00 + * + x00 + 变量名 -> 反序列化为protected变量
        //x00 + 类名 + x00 + 变量名 -> 反序列化为private变量


        function __construct($web){
            echo 'welcome to gwht!<br/>';
            $this->web=$web;
            echo $this->web;
            echo "<br/>";
            
        }
        function __destruct(){
            echo "<br/>";
            echo 'this is destruct';
           
        }
        function __toString(){
            return "it must return a str value<br />";
            
        }
        function __invoke($a,$b){
            echo 'my name is '. $a,',i like '. $b;
        }
        
        }
    
        $a=new GWHTeam('2018','2019'); //construct
        echo $a; //toString
        echo "<br/>";
        $a('vstar','GWHT'); //invoke
        echo "<br/>";

        
    
 /*     __construct()//当一个对象创建时被调用
        __destruct() //当一个对象销毁时被调用
        __toString() //当一个对象被当作一个字符串使用
        __get()//获得一个类的成员变量时调用，读取不可访问属性的值时，__get() 会被调用。
            也就是，当想要获取一个类的私有属性，或者获取一个类并为定义的属性时。该魔术方法会被调用。
        __set()//设置一个类的成员变量时调用
        __invoke()//调用函数的方式调用一个对象时的回应方法
        __call()//当调用一个对象中的不能用的方法的时候就会执行这个函数
        __sleep()  在对象在被序列化之前运行
        __wakeup()  将在反序列化之后立即被调用(通过序列化对象元素个数不符来绕过)*/
        echo "<br/>";
        echo '---------------------------------------------<br/>';

        
        function __wakeup(){
            echo 'this is __wakeup';
        }
        echo  serialize($a);
?>

序列化例题1

<?php
error_reporting(0);
include "flag.php";
$KEY = "D0G!!!";
$str = $_GET['str'];
if (unserialize($str) === "$KEY")
{
    echo "$flag";
}
show_source(__FILE__);
?>

序列化例题2

<?php
class Student
{
    public $score = 0;
    public function __destruct()
    {
        echo "__destruct working";
        if($this->score==10000) {
            $flag = "******************";
            echo $flag;
        }
    }
}
$exp = $_GET['exp'];
echo "<br>";
unserialize($exp);


?>

序列化例题3

<?php
$select = $_GET['select'];
$res=unserialize(@$select);
error_reporting(0);


class Name{
private $username = 'nonono';
private $password = 'yesyes';

public function __construct($username,$password){
    $this->username = $username;
    $this->password = $password;
}

function __wakeup(){
    $this->username = 'guest';
}

function __destruct(){
    if ($this->password != 100) {
        echo "</br>NO!!!hacker!!!</br>";
        echo "You name is: ";
        echo $this->username;echo "</br>";
        echo "You password is: ";
        echo $this->password;echo "</br>";
        die();
    }
    if ($this->username === 'admin') {
        global $flag;
        echo $flag;
    }else{
        echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
        die();


    }
}
}
?>

题解

<?php
    $c ='D0G!!!';
    echo serialize($c);
    $d='s:6:"D0G!!!";';
    echo unserialize($d);
---------------------------------------------------------
    class Student
{
    public $score = 1000;
    public function __destruct()
    {
        echo "__destruct working";
        if($this->score==10000) {
            $flag = "******************";
            echo $flag;
        }
    }
}

    $a=new Student();
    echo serialize($a);
-------------------------------------------------------
    $a = new Name('admin',100);
    echo serialize($a);
    //绕过__wakeup

?>