# Deserializations

### PHP Deserialization

Main thing you need to understand about Deserialization is that you can **control the properties of the object** created.

When the properties you have set are passed into magic methods, PHP object injection vulnerabilities occur. You can also reach **any class, and control the properties of that class**, if there is a vulnerability.

If there is a method being called from a property we can control such as: **$this->redis->close();** and as we change the redis property to other class object we can affectively call any close() method. 

## References

[**PayloadsAllTheThings \[ PHP Deserialization Cheat Sheet \]**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/PHP.md)

[**\[ Ippsec Youtube Video \]**](https://www.youtube.com/watch?v=HaW15aMzBUM)

[**HackTricks \[Deserialization\]**](https://book.hacktricks.xyz/pentesting-web/deserialization)