I don’t agree about your format for the exploit. I think it will look more like this:
Because the patched code is specifically looking at $key, which in your example is page[‘#payload’], which doesn’t meet the logic criteria of $key === ‘#’… Therefore, it can’t be in the format you suggested.
Please correct me if I’m wrong!
Also, GreySec have a thread going on this at the moment: https://greysec.net/member.php?action=register&referrer=2630