<?php
error_reporting(0);
$file = $_GET["file"];
$p = $_GET["p"];
if (isset($file)) {
echo 'NONONO' . '<br>';
if (preg_match("/flag/", $file)) {
die('HACKER GOGOGO!!!');
}
@include($file);
if (isset($p)) {
$p = unserialize($p);
} else {
echo "NONONO";
}
}
?>
<!-- You can try ?file=xxxx, and check the code in try.php -->
try.php
<?php
class Seri{
public $alize;
public function __construct($alize) {
$this->alize = $alize;
}
public function __destruct(){
$this->alize->getFlag();
}
}
class Flag{
public $f;
public $t1;
public $t2;
function __construct($file){
echo "Another construction!!";
$this->f = $file;
$this->t1 = $this->t2 = md5(rand(1,10000));
}
public function getFlag(){
$this->t2 = md5(rand(1,10000));
echo $this->t1;
echo $this->t2;
if($this->t1 === $this->t2)
{
if(isset($this->f)){
echo @highlight_file($this->f,true);
}
}
}
}
?>
这个是12届信安大赛justsoso的简化版。
这里要调用$alize的getflag(),说明$alize必须是flag类。
这里唯一要考虑的问题是如何让t1和t2相等,两个都是随机的.
PHP和C不同的是引用
这里是指向同一个变量,让两个变量名指向同一个地址了,那么这必相等