1--TEST-- 2GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - tabular default) 3--EXTENSIONS-- 4mysqli 5--FILE-- 6<?php 7require_once 'fake_server.inc'; 8 9 10$port = 33305; 11$servername = "127.0.0.1"; 12$username = "root"; 13$password = ""; 14 15$process = run_fake_server_in_background('tabular_response_def_over_read', $port); 16$process->wait(); 17 18$conn = new mysqli($servername, $username, $password, "", $port); 19 20echo "[*] Running query on the fake server...\n"; 21 22$result = $conn->query("SELECT * from users"); 23 24if ($result) { 25 $all_fields = $result->fetch_fields(); 26 var_dump($result->fetch_all(MYSQLI_ASSOC)); 27 var_dump(get_object_vars($all_fields[0])["def"]); 28} 29 30$conn->close(); 31 32$process->terminate(); 33 34print "done!"; 35?> 36--EXPECTF-- 37[*] Server started 38[*] Connection established 39[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264 40[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31 41[*] Sending - Server OK: 0700000200000002000000 42[*] Running query on the fake server... 43[*] Received: 140000000353454c454354202a2066726f6d207573657273 44[*] Sending - Malicious Tabular Response [Extract heap through buffer over-read]: 01000001011e0000020164016401640164016401640c3f000b000000030350000000fd000001aa05000003fe00002200040000040135017405000005fe00002200 45 46Warning: mysqli::query(): Protocol error. Server sent default for unsupported field list (mysqlnd_wireprotocol.c:%d) in %s on line %d 47done! 48
