web254

The attached code ：

<?php
​
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 19:29:02
# @email: [email protected]
# @link: https://ctfer.com
​
*/
​
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
​
class ctfShowUser{
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;
​
    public function checkVip(){
        return $this->isVip;
    }
    public function login($u,$p){
        if($this->username===$u&&$this->password===$p){
            $this->isVip=true;
        }
        return $this->isVip;
    }
    public function vipOneKeyGetFlag(){
        if($this->isVip){
            global $flag;
            echo "your flag is ".$flag;
        }else{
            echo "no vip, no flag";
        }
    }
}
​
$username=$_GET['username'];
$password=$_GET['password'];
​
if(isset($username) && isset($password)){
    $user = new ctfShowUser();
    if($user->login($username,$password)){
        if($user->checkVip()){
            $user->vipOneKeyGetFlag();
        }
    }else{
        echo "no vip,no flag";
    }
}
​

The problem is very simple , The general idea is to let you Get Pass on a reference username and password, Below if Yes check if it is empty , Call if it is not empty ctfShowUser Inside login Method , Incoming username Turned into $u, Incoming password Turned into $p. Below if Is judging isVip Is it ture, You can see at the beginning

Here's isVip yes false Of , So if username and password The value of and ctfShowUser Inside username and password The values of are the same , Then let isVip become Ture, We can jump to vipOneKeyGetFlag() In the middle . obtain flag

payload：

?username=xxxxxx&password=xxxxxx

  It's still very simple to clarify the train of thought .