3v4l.org

run code in 200+ php & hhvm versions
<?php class foo { public function __wakeup() { echo 'exploited'; } } $userInput = serialize(new foo); echo $userInput; $serialisedStr = serialize([ $userInput, ]); unserialize($serialisedStr);
based on l0ERU
Output for 7.1.25 - 7.4.0beta2
O:3:"foo":0:{}