ctfshow web入门 序列化

序列化和反序列化

web254

<?php
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');

class ctfShowUser{
   
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;

    public function checkVip(){
   
        return $this->isVip;
    }
    public function login($u,$p){
   
        if($this->username===$u&&$this->password===$p){
   
            $this->isVip=true;
        }
        return $this->isVip;
    }
    public function vipOneKeyGetFlag(){
   
        if($this->isVip){
   
            global $flag;
            echo "your flag is ".$flag;
        }else{
   
            echo "no vip, no flag";
        }
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
   
    $user = new ctfShowUser();
    if($user->login($username,$password)){
   
        if($user->checkVip()){
   
            $user->vipOneKeyGetFlag();
        }
    }else{
   
        echo "no vip,no flag";
    }
}

源码中并没有序列化，所以类中的函数都不能触发，所以直接get传参，让username和password的值都等于原来的初始值

?password=xxxxxx&password=xxxxxx

web255

 <?php
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');

class ctfShowUser{
   
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;

    public function checkVip(){
   
        return $this->isVip;
    }
    public function login($u,$p){
   
        return $this->username===$u&&$this->password===$p;
    }
    public function vipOneKeyGetFlag(){
   
        if($this->isVip){
   
            global $flag;
            echo "your flag is ".$flag;
        }else{
   
            echo "no vip, no flag";
        }
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){