waderwu/9test.php

## 9test.php
class A{
    private $client;

    private $info = [
        'url' => '',
        'content_type' => '',
        'http_code' => 0,
        'header_size' => 0,
        'request_size' => 0,
        'filetime' => -1,
        'ssl_verify_result' => 0,
        'redirect_count' => 0,
        'total_time' => 5.3E-5,
        'namelookup_time' => 0.0,
        'connect_time' => 0.0,
        'pretransfer_time' => 0.0,
        'size_upload' => 0.0,
        'size_download' => 0.0,
        'speed_download' => 0.0,
        'speed_upload' => 0.0,
        'download_content_length' => -1.0,
        'upload_content_length' => -1.0,
        'starttransfer_time' => 0.0,
        'redirect_time' => 0.0,
        'redirect_url' => '',
        'primary_ip' => '',
        'certinfo' => [],
        'primary_port' => 0,
        'local_ip' => '',
        'local_port' => 0,
        'http_version' => 0,
        'protocol' => 0,
        'ssl_verifyresult' => 0,
        'scheme' => '',
    ];

    private $withHeaderOut = false;

    private $withFileTime = false;

    private $urlInfo;

    private $postData;

    private $infile;

    private $infileSize = PHP_INT_MAX;

    private $outputStream;

    private $proxyType;

    private $proxy;

    private $proxyPort = 1080;

    private $proxyUsername;

    private $proxyPassword;

    private $clientOptions = [];

    private $followLocation = false;

    private $autoReferer = false;

    private $maxRedirects;

    private $withHeader = false;

    private $nobody = false;

    /** @var callable */
    private $headerFunction;

    /** @var callable */
    private $readFunction;

    /** @var callable */
    private $writeFunction;

    /** @var callable */
    private $progressFunction;

    private $returnTransfer = false;

    private $method = '';

    private $headers = [];

    private $transfer;

    private $errCode = 0;

    private $errMsg = '';

    private $failOnError = false;

    private $closed = false;
    function fuzz(){
        $funcs = get_defined_functions()['internal'];
        //$length = count($funcs);
        //echo($length);
        echo $funcs[%d];
        $funcs[%d]($this, "123444", 1234);
    }
}

$a = new A();
$a->fuzz();

## fuzz.py
#!/usr/bin/env python3
import subprocess
import re
with open("9test.php") as f:
    php = f.read()
for i in range(1703):
    tmp = php%(i,i)
    res = subprocess.run(['php', "-r", tmp], capture_output=True)
    stdout = res.stdout
    stderr = res.stderr
    if not re.search(b"expects exactly|expects at most|expects at least|to be resource|parameter 1 to be|Object of class A could not be converted to string", stderr):
        print(stdout)
        print(stderr)
	class A{
	private $client;

	private $info = [
	'url' => '',
	'content_type' => '',
	'http_code' => 0,
	'header_size' => 0,
	'request_size' => 0,
	'filetime' => -1,
	'ssl_verify_result' => 0,
	'redirect_count' => 0,
	'total_time' => 5.3E-5,
	'namelookup_time' => 0.0,
	'connect_time' => 0.0,
	'pretransfer_time' => 0.0,
	'size_upload' => 0.0,
	'size_download' => 0.0,
	'speed_download' => 0.0,
	'speed_upload' => 0.0,
	'download_content_length' => -1.0,
	'upload_content_length' => -1.0,
	'starttransfer_time' => 0.0,
	'redirect_time' => 0.0,
	'redirect_url' => '',
	'primary_ip' => '',
	'certinfo' => [],
	'primary_port' => 0,
	'local_ip' => '',
	'local_port' => 0,
	'http_version' => 0,
	'protocol' => 0,
	'ssl_verifyresult' => 0,
	'scheme' => '',
	];

	private $withHeaderOut = false;

	private $withFileTime = false;

	private $urlInfo;

	private $postData;

	private $infile;

	private $infileSize = PHP_INT_MAX;

	private $outputStream;

	private $proxyType;

	private $proxy;

	private $proxyPort = 1080;

	private $proxyUsername;

	private $proxyPassword;

	private $clientOptions = [];

	private $followLocation = false;

	private $autoReferer = false;

	private $maxRedirects;

	private $withHeader = false;

	private $nobody = false;

	/** @var callable */
	private $headerFunction;

	/** @var callable */
	private $readFunction;

	/** @var callable */
	private $writeFunction;

	/** @var callable */
	private $progressFunction;

	private $returnTransfer = false;

	private $method = '';

	private $headers = [];

	private $transfer;

	private $errCode = 0;

	private $errMsg = '';

	private $failOnError = false;

	private $closed = false;
	function fuzz(){
	$funcs = get_defined_functions()['internal'];
	//$length = count($funcs);
	//echo($length);
	echo $funcs[%d];
	$funcs[%d]($this, "123444", 1234);
	}
	}

	$a = new A();
	$a->fuzz();
	#!/usr/bin/env python3
	import subprocess
	import re
	with open("9test.php") as f:
	php = f.read()
	for i in range(1703):
	tmp = php%(i,i)
	res = subprocess.run(['php', "-r", tmp], capture_output=True)
	stdout = res.stdout
	stderr = res.stderr
	if not re.search(b"expects exactly\|expects at most\|expects at least\|to be resource\|parameter 1 to be\|Object of class A could not be converted to string", stderr):
	print(stdout)
	print(stderr)