nyx/tests/dynamic_fixtures/deserialize/php/vuln.php

<?php
// Phase 03 (Track J.1) — PHP deserialize vuln fixture.
//
// `unserialize` without `allowed_classes` will materialise any
// `O:N:"ClassName":` blob the attacker sends, triggering `__wakeup`
// / `__destruct` chains.
function run(string $blob) {
    return unserialize($blob);
}
[pitboss] phase 03: Track J.1 + Track L.1 — `DESERIALIZE` corpus + Java/Python/PHP/Ruby adapters 2026-05-17 16:37:20 -05:00			`<?php`
			`// Phase 03 (Track J.1) — PHP deserialize vuln fixture.`
			`//`
			// `unserialize` without `allowed_classes` will materialise any
			// `O:N:"ClassName":` blob the attacker sends, triggering `__wakeup`
			// / `__destruct` chains.
			`function run(string $blob) {`
			`return unserialize($blob);`
			`}`