Test1 Test1 Login According to the page source code prompt
Refresh this page and grab the bag, there's a show=0 worth watching
In the header of the sent packet add a sentence show:1, you can get member.php source
1<?PHP2 include' Common.php ';3 $requset=Array_merge($_get,$_post,$_session,$_cookie);4 classDB5 {6 Public $where;7 function__wakeup ()8 {9 if(!Empty($this-where))Ten { One $this->select ($this-where); A } - } - the functionSelect$where) - { - $sql=mysql_query(' select * from user where '.$where); - return@Mysql_fetch_array($sql); + } - } + A if(isset($requset[' token '])) at { - $login=unserialize(gzuncompress(Base64_decode($requset[' token ']))); - $db=Newdb (); - $row=$db->select (' user=\ '.mysql_real_escape_string($login[' User ']). ' \‘‘); - if($login[' user '] = = = ' Ichunqiu ') - { in Echo $flag; -}Else if($row[' Pass ']!==$login[' Pass ']){ to Echo' Unserialize injection!! '; +}Else{ - Echo"(╯‵-′) ╯︵┴─┴"; the } *}Else{ $ Header(' Location:index.php?error=1 ');Panax Notoginseng } - the?>
array array_merge ( array $array 1
[, array $ ...
])//merge the cells of one or more arrays, and the values in an array are appended to the previous array. Returns an array as the result.
string gzuncompress ( string $data
[, < Span class= "Methodparam" >int $length
= 0 ]) This function unzip the string. With Gzcompress () corresponds to the
mysql_real_escape_string ()//function to escape the special characters in the string used in the SQL statement: \x00 \ r \ ' "\x1a
Special note array_merge () If the input array has the same string key name, the value following the key name overrides the previous value . However, if the array contains numeric key names, subsequent values will not overwrite the original values, but are appended to the back.
Then read the question, according to the source code, as long as the submission of eligible tokens can get flag, but we did not submit tokens in Post,get,cookie, but the server returned "(╯‵-′) ╯︵┴─┴", stating that token is in the session, Then we just need to cover tokens in the cookie.
So construct
And then submit it in a cookie.
I spring and autumn--"Baidu Cup" CTF competition October Field--login