1--TEST-- 2Bug #70219 Use after free vulnerability in session deserializer 3--SKIPIF-- 4<?php 5if (!extension_loaded("session")) { 6 die("skip Session module not loaded"); 7} 8?> 9--FILE-- 10<?php 11ini_set('session.serialize_handler', 'php_serialize'); 12session_start(); 13 14class obj implements Serializable { 15 var $data; 16 function serialize() { 17 return serialize($this->data); 18 } 19 function unserialize($data) { 20 session_decode($data); 21 } 22} 23 24$inner = 'r:2;'; 25$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; 26 27$data = unserialize($exploit); 28 29for ($i = 0; $i < 5; $i++) { 30 $v[$i] = 'hi'.$i; 31} 32 33var_dump($data); 34var_dump($_SESSION); 35?> 36--EXPECTF-- 37array(2) { 38 [0]=> 39 object(obj)#%d (1) { 40 ["data"]=> 41 NULL 42 } 43 [1]=> 44 object(obj)#%d (1) { 45 ["data"]=> 46 NULL 47 } 48} 49object(obj)#1 (1) { 50 ["data"]=> 51 NULL 52} 53
