1--TEST-- 2Bug #70219 Use after free vulnerability in session deserializer 3--EXTENSIONS-- 4session 5--FILE-- 6<?php 7ini_set('session.serialize_handler', 'php_serialize'); 8session_start(); 9 10class obj implements Serializable { 11 var $data; 12 function serialize() { 13 return serialize($this->data); 14 } 15 function unserialize($data) { 16 session_decode($data); 17 } 18} 19 20$inner = 'r:2;'; 21$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; 22 23$data = unserialize($exploit); 24 25for ($i = 0; $i < 5; $i++) { 26 $v[$i] = 'hi'.$i; 27} 28 29var_dump($data); 30var_dump($_SESSION); 31?> 32--EXPECTF-- 33Deprecated: %s implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in %s on line %d 34array(2) { 35 [0]=> 36 object(obj)#%d (1) { 37 ["data"]=> 38 NULL 39 } 40 [1]=> 41 object(obj)#%d (1) { 42 ["data"]=> 43 NULL 44 } 45} 46object(obj)#1 (1) { 47 ["data"]=> 48 NULL 49} 50
