| Server IP : 79.136.114.73 / Your IP : 216.73.216.238 Web Server : Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.29 OpenSSL/1.0.1f System : Linux b8009 3.13.0-170-generic #220-Ubuntu SMP Thu May 9 12:40:49 UTC 2019 x86_64 User : www-data ( 33) PHP Version : 5.5.9-1ubuntu4.29 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, MySQL : ON | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /proc/self/root/home/b8009/php-5.6.22/ext/standard/tests/serialize/ |
Upload File : |
--TEST--
Bug #70219 Use after free vulnerability in session deserializer
--SKIPIF--
<?php include __DIR__ . '/../../../session/tests/skipif.inc'; ?>
--FILE--
<?php
ini_set('session.serialize_handler', 'php_serialize');
session_start();
class obj implements Serializable {
var $data;
function serialize() {
return serialize($this->data);
}
function unserialize($data) {
session_decode($data);
}
}
$inner = 'r:2;';
$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}';
$data = unserialize($exploit);
for ($i = 0; $i < 5; $i++) {
$v[$i] = 'hi'.$i;
}
var_dump($data);
var_dump($_SESSION);
?>
--EXPECTF--
array(2) {
[0]=>
&object(obj)#%d (1) {
["data"]=>
NULL
}
[1]=>
object(obj)#%d (1) {
["data"]=>
NULL
}
}
object(obj)#1 (1) {
["data"]=>
NULL
}