level 1
Akatsuki_T
楼主
<?php
function filter($string) {
$safe = array('system','fopen','fread','file_get_contents','flag');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'nonono', $string);
}
class PingUtils{
function __call($name,$args){
system("ping -c4 ${args[0]}");
}
}
class Cindy{
var $someone;
var $phone;
function call(){
$this->phone->call($this->someone);
}
}
class Bob{
public $flag=True;
public function __get($a){
if($this->flag){
$cindy = new Cindy();
$cindy->someone = $_REQUEST['someone'];
$cindy->phone = "p50";
#var_dump(filter(serialize($cindy)));
$cindy = unserialize(filter(serialize($cindy)));
$cindy->call($someone);
}else{
echo 'nonono';
}
}
public function __wakeup(){
$this->flag = False;
}
}
class Alice{
public function __destruct(){
echo $this->c->b;
}
}
highlight_file(__FILE__);
@unserialize($_GET['pop']);
2022年07月09日 03点07分
1
function filter($string) {
$safe = array('system','fopen','fread','file_get_contents','flag');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'nonono', $string);
}
class PingUtils{
function __call($name,$args){
system("ping -c4 ${args[0]}");
}
}
class Cindy{
var $someone;
var $phone;
function call(){
$this->phone->call($this->someone);
}
}
class Bob{
public $flag=True;
public function __get($a){
if($this->flag){
$cindy = new Cindy();
$cindy->someone = $_REQUEST['someone'];
$cindy->phone = "p50";
#var_dump(filter(serialize($cindy)));
$cindy = unserialize(filter(serialize($cindy)));
$cindy->call($someone);
}else{
echo 'nonono';
}
}
public function __wakeup(){
$this->flag = False;
}
}
class Alice{
public function __destruct(){
echo $this->c->b;
}
}
highlight_file(__FILE__);
@unserialize($_GET['pop']);