PHP magic method

Basic concepts

PHP Two underscores in the middle __ The first method is called magic method , These methods are in PHP It plays a very important role in , They serve classes and objects .

Reasons for appearance

PHP Although it's an object-oriented language , But some object-oriented standards are not perfect , For example, overloading （ Functions or methods have the same name , But when the parameter list is different , Between functions or methods with the same name and different parameters , They call each other overloaded functions or methods ）, We can make up for it by some magic methods .

Detailed explanation of magic method

__construct(), Class constructor
__destruct(), Destructor of class
__call(), Called when an invocable method is invoked in an object
__callStatic(), Call in an static way when an invocable method is called
__get(), Call when you get a member variable of a class
__set(), Called when setting a member variable of a class
__sleep(), perform serialize() when , This function will be called first
__wakeup(), perform unserialize() when , This function will be called first
__toString(), The response method when a class is treated as a string
__invoke(), The response method when an object is called by calling a function
__set_state(), call var_export() When exporting a class , This static method will be called .
__clone(), Called when the object copy is complete

One 、__construct(), Class constructor 、__destruct(), Destructor of class
__construct Construction method , This method is called when an object is created , and __destruct() Is called when an object is destroyed , That is to say PHP Of gc Mechanism

<?php 
class FileRead
{
    
 protected $handle = NULL;

 function __construct(){
    
  $this->handle = fopen(...);
 }

 function __destruct(){
    
  fclose($this->handle);
 }
}
?>

Two 、__call()、__callStatic()
When you use these undefined methods, you go into these two functions . For example, we call $ a->b(); This method , But in fact $a There is no class template for b() Method , It's time to enter __call() Methods to deal with .__callStatic() If the corresponding method is not defined when calling statically , Just enter __callStatic() In the method , Such as A::b(), There is no definition b() Method , And then it's time to enter __callStatic() Intermediate processing .
3、 ... and 、__set() and __get()
__set() and __get() Is an attribute that cannot be accessed by the operation . Be careful , This doesn't mean undefined properties , If defined as private The properties of can also be defined by these two magic methods , Of course , It also includes undefined attributes .
Four 、__sleep() and __wakeup()
When we are executing serialize() and unserialize() when , These two functions will be called first . For example, when serializing an object , This object has a database link , Want to restore link state in deserialization , You can reconstruct these two functions to restore the link ,
What needs to be noted here is ,__sleep() You need to return an array , The array corresponds to the attribute name in the class . Generally speaking , They can clean up data before serialization , Or preprocess the data before deserialization . For example, close database connection before serialization or open database connection before deserialization .

<?php
class Connection 
{
    
 protected $link;
 private $server, $username, $password, $db;

 public function __construct($server, $username, $password, $db)
 {
    
  $this->server = $server;
  $this->username = $username;
  $this->password = $password;
  $this->db = $db;
  $this->connect();
 }

 private function connect()
 {
    
  $this->link = mysql_connect($this->server, $this->username, $this->password);
  mysql_select_db($this->db, $this->link);
 }

 public function __sleep()
 {
    
  return array('server', 'username', 'password', 'db');
 }

 public function __wakeup()
 {
    
  $this->connect();
 }
}
?>

5、 ... and 、__toString()
__toString() How to respond when a class is treated as a string . for example echo $obj; What should be shown . This method must return a string , Otherwise, a fatal error will occur .

<?php
class TestClass
{
    
 public function __toString() {
    
  return 'this is a object';
 }
}

$class = new TestClass();
echo $class;
?>

6、 ... and 、__clone()
This method is called when copying objects . We know that php in . $a For an object , $b= $a when . $b by $ a References to . When $a When there is a change . $b And it will change . So in order to make $b No change , We need to use $b=clone $a;
that , When $a Calling clone When , The engine will automatically call __clone() Method
7、 ... and 、Invoke
stay php This method in is used for , When using objects as methods . This method will be called .

class Invoke {
    
    public function __invoke()
    {
    
        echo 'I can run'.PHP_EOL;
    }
}
 
$invoke = new Invoke();
$invoke();

7、 ... and 、__set_state()
Before you know this method , You need to know var_export() function ,var_export() and var_dump() similar , Output a string representation of a variable . He and var_dump The difference is that its return result is legal
php Code . This code can be eval perform . Be careful ： This method is a static method , And in php5.1 The above version only supports .

Bypass __wakeup

One 、 Why bypass __wakeup
for instance

<?php
include 'flag.php';


error_reporting(0);


class Name{
    
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
    
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
    
        $this->username = 'guest';
    }

    function __destruct(){
    
        if ($this->password != 100) {
    
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
    
            global $flag;
            echo $flag;
        }else{
    
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();


        }
    }
}

We know __wakeup take username The value of is set to guest, The question needs to be admin, And according to __wake Characteristics of , In deserialization, it will be executed in advance , So you need to bypass
Two 、 Bypass method ： When the number of member attributes is greater than the actual number, you can bypass
Title source ：buuctf_php