Notes in directly copied out
Direct access to the code frame 1 composer
➜ composer create-project --prefer-dist topthink/think tp5137
➜ cd tp5137
➜ vim composer.json # 把"topthink/framework": "5.1.*"改成"topthink/framework": "5.1.37"
➜ composer update
2 using a dot deserialized
- A fully controllable contents deserialization point, for example: unserialize (controlled variable)
- Upload file exists, the file name is completely controllable, using the file manipulation functions, such as: file_exists ( 'phar: // malicious file')
3 deserialization strand
3.0 deserialized point exists, to find class has __desctruct method automatically executes the code when the object destruction
3.1 think \ process \ __destruct method pipes \ Windows class called $ this-> removeFiles ();
3.2 $ this-> removeFiles () is called in file_exists ($ filename)
3.3 file_exists () requires a string parameter type, when executing file_exists ($ filename) triggers the __toString class ()
3.4 Global Search __toString (), looking for available __toString (), find think \ model \ concern \ Conversion
Calls within __toString $ this-> toJson (), toJson () calls within the json_encode ($ this-> toArray (), $ options);
3.5 Conversion within the class, the $ this-> toArray (), there is a $ relation-> visible ($ name), $ relation $ and $ name from the this, controllable
3.6 seeking class has methods and visible __call methods, found think \ Request class, which __call, will perform array_unishift ($ args, $ this);
call_user_func_array($this->hook[$method], $args);
The method of simultaneous input think \ Request class is often a great Gadget chain, corresponding to call_user_func ($ filter, $ data), but since array_unishift inserted at the beginning of a parameter array objects need to find a call input method, and the first a controllable parameter function incoming Request object
3.7 find $ this-> param called input method, find isAjax and isPjax method calls $ this-> param and the first parameter control, construction completed