Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "how to use the GC recovery mechanism in PHP". The editor shows you the operation process through an actual case. The operation method is simple, fast and practical. I hope this article "how to use the GC recovery mechanism in PHP" can help you solve the problem.

Simple matting

Take a look at this simple serialization first, and be sure to think about it before you look at the answer.

A very simple deserialization, find a way to control the variable $rce can achieve the purpose of command execution.

Construct exp

If you finish reading the basics of serialization and deserialization that I wrote earlier, you can only say that this is very simple.

This is because the _ _ destruct () method can be used

What if that's the case?

First acquaintance of GC

PHP Garbage Collection referred to as GC, also known as garbage collection, in PHP use reference counting and collection cycle to automatically manage memory objects.

Garbage, as the name implies, is something that is useless. Here, it refers to some data or variables that are NULL or have no address (pointer) after performing certain operations. Once this kind of data is treated as garbage collection, it is equivalent to putting an end to the end of a program, then there will be no failure to call the _ _ destruct () method. If you want to know the details of the principle, you can look directly at PHP's official answer: PHP: recycling cycle (Collecting Cycles)-Manual

Then let's demonstrate the actual work of GC in code.

You can guess what the result will be.

Thank you for being surprised (although I already know the result), new has an errorr object, and the butt is destruct () before the ass is hot. The last two objects are created step by step and finished without operation. The difference is that object 1 has no reference or point, and is treated as garbage collection at the moment of creation, triggering the _ _ destruct () method.

If there is no point, what if you suddenly point to another in the middle of pointing to another object, that is, what happens if you abandon the object?

That's to be expected.

As you can see, it is normally created and finally destroyed.

Try a bull's knife

Now that you know how to use GC, let's look at an example.

Maybe this throw new Exception (); is a bit abrupt, which is actually a throw error that prevents _ _ destruct () from executing, and friends who have studied java or python should know.

This is also a pop chain, first analyze the purpose function, it seems that errorr2::flag (), push forward is errorr1::__toString () will trigger this function, and errorr0::__destruct () will trigger toString, clear the chain is constructed as: head-- > errorr0::__destruct ()-- > errorr1::__toString ()-- > errorr2::flag ()-- > tail.

The exp is:

There are many ways to construct this exp, according to your own preferences, you don't have to be like me.

That's it? Maybe some people are confused, if it's over, what I said before is farting, it's no different from pop, so of course it's not over. Without this sentence throw new Exception (); the construction is really finished, but if there is, _ _ destruct () will not be executed, and _ _ destruct () will not execute the chain at all, which is useless.

The point is, according to the GC collection mechanism mentioned earlier, you can treat a piece of data as garbage collection, so you can execute _ _ destruct (), and then there is a question-how to trigger the GC collection mechanism?! Do you remember the example I gave before? If nothing points to an object, that object will be treated as garbage collection. So, let's first look at the revised exp.

As you can see, a line of code has been added, that is,

C = array (0 = > $aline 1 = > NULL)

Errorr2 2: {errorr0 0: "err"; SAR10: "phpinfo ();";} iDrex 1; N;} iDrex 1

You can try it yourself. Explain this string of characters.

The first an is the array, and 2 is the key in the array with two I = 0 and I = 1

The point is, although there are two keys I = 0 corresponding to our target object, and I = 1 is NULL, if we do a bad thing at this time, change I should be equal to 1 to I = 0. Doesn't that point I = 0 to NULL? Then GC recycling is implemented. So at last we modified the string as follows:

Errorr2 2: {errorr0 0: "err"; SAR10: "phpinfo ();";} iRom 0x: n;} iRom 0tn;}

This is the end of the content on "how to use the GC recovery mechanism in PHP". Thank you for reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.