1--TEST-- 2Bug #70219 Use after free vulnerability in session deserializer 3--FILE-- 4<?php 5ini_set('session.serialize_handler', 'php_serialize'); 6session_start(); 7 8class obj implements Serializable { 9 var $data; 10 function serialize() { 11 return serialize($this->data); 12 } 13 function unserialize($data) { 14 session_decode($data); 15 } 16} 17 18$inner = 'r:2;'; 19$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; 20 21$data = unserialize($exploit); 22 23for ($i = 0; $i < 5; $i++) { 24 $v[$i] = 'hi'.$i; 25} 26 27var_dump($data); 28var_dump($_SESSION); 29?> 30--EXPECTF-- 31array(2) { 32 [0]=> 33 &object(obj)#%d (1) { 34 ["data"]=> 35 NULL 36 } 37 [1]=> 38 object(obj)#%d (1) { 39 ["data"]=> 40 NULL 41 } 42} 43object(obj)#1 (1) { 44 ["data"]=> 45 NULL 46}