object(a)#1 (2) { ["name"]=> string(24) "abc";s:6:"number";s:26:"" ["number"]=> string(3) "666" }


<?php 

// // 目标：多逃逸一个属性age=25；

// 过滤单个

// class a{

//     public $name="abcpppppppppppppppppppp";

//     public $number=';s:3:"age";i:25;}';

    

// }

// $data=serialize(new a());

// $data=str_replace("p","",$data);

// var_dump(unserialize($data));

// echo strlen('";s:6:"number";s:xx:');

// 过滤多个

class a{

    public $name="abcphpphpphpphpphpphpphp";

    public $number='";s:6:"number";s:3:"666";}';

    // ";s:3:"age";i:25;}增加新属性age;

    // 设置原属性number的值为666：";s:6:"number";s:3:"666";}

    

}

$data=serialize(new a());

$data=str_replace("php","",$data);

var_dump(unserialize($data));

highlight_file(__FILE__);

?>