Deserializations

Going over Java, PHP, .NET deserialization (check out references first.)

PHP Deserialization

Main thing you need to understand about Deserialization is that you can control the properties of the object created.

When the properties you have set are passed into magic methods, PHP object injection vulnerabilities occur. You can also reach any class, and control the properties of that class, if there is a vulnerability.

If there is a method being called from a property we can control such as: $this->redis->close(); and as we change the redis property to other class object we can affectively call any close() method.

References

PayloadsAllTheThings [ PHP Deserialization Cheat Sheet ]

[ Ippsec Youtube Video ]

HackTricks [Deserialization]

PreviousPrior OSWE Course NextPHP Type Juggling

Last updated 3 years ago