1--TEST-- 2Bug #70219 Use after free vulnerability in session deserializer 3--FILE-- 4<?php 5class obj implements Serializable { 6 var $data; 7 function serialize() { 8 return serialize($this->data); 9 } 10 function unserialize($data) { 11 session_start(); 12 session_decode($data); 13 } 14} 15 16$inner = 'ryat|a:1:{i:0;a:1:{i:1;'; 17$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}'; 18 19$data = unserialize($exploit); 20 21for ($i = 0; $i < 5; $i++) { 22 $v[$i] = 'hi'.$i; 23} 24 25var_dump($data); 26?> 27--EXPECTF-- 28Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d 29array(2) { 30 [0]=> 31 object(obj)#%d (1) { 32 ["data"]=> 33 NULL 34 } 35 [1]=> 36 array(0) { 37 } 38} 39
