> For the complete documentation index, see [llms.txt](https://100pingissues.gitbook.io/oswe/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://100pingissues.gitbook.io/oswe/pre-requisites-1/php-object-injection..md).

# Deserializations

### PHP Deserialization

Main thing you need to understand about Deserialization is that you can **control the properties of the object** created.

When the properties you have set are passed into magic methods, PHP object injection vulnerabilities occur. You can also reach **any class, and control the properties of that class**, if there is a vulnerability.

If there is a method being called from a property we can control such as: **$this->redis->close();** and as we change the redis property to other class object we can affectively call any close() method.&#x20;

## References

[**PayloadsAllTheThings \[ PHP Deserialization Cheat Sheet \]**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/PHP.md)

[**\[ Ippsec Youtube Video \]**](https://www.youtube.com/watch?v=HaW15aMzBUM)

[**HackTricks \[Deserialization\]**](https://book.hacktricks.xyz/pentesting-web/deserialization)
