南邮PHP反序列化

题目如下:

<?php
class just4fun {
    var $enter;
    var $secret;
}

if (isset($_GET['pass'])) {
    $pass = $_GET['pass'];

    if(get_magic_quotes_gpc()){
        $pass=stripslashes($pass);
    }

    $o = unserialize($pass);

    if ($o) {
        $o->secret = "*";
        if ($o->secret === $o->enter)
            echo "Congratulation! Here is my secret: ".$o->secret;
        else 
            echo "Oh no... You can't fool me";
    }
    else echo "are you trolling?";
}
?>

主要是涉及了一个PHP对象深浅拷贝,文章:https://www.cnblogs.com/nul1/p/9418080.html

直接构造POC:

 1 <?php 
 2 class just4fun
 3 {
 4     var $enter;
 5     var $secret;
 6     
 7     function __construct()
 8     {
 9         $this->enter=&$this->secret;
10     }
11 }
12 echo serialize(new just4fun());
13 
14  ?>

第九行的&引用不能少。否则就不行了。

&的概念:

&属于引用,属于浅拷贝,一个改变另外一个也随之改变。

1 <?php 
2 $a = "xxoo";
3 $b = &$a;
4 $b = 'aaaaaa';
5 echo $a;
6  ?>

 

posted @ 2018-08-04 09:47  _nul1  阅读(802)  评论(0编辑  收藏