Insecure Deserialization

PHP

DeserializationHackTricks

You can use phpggc to generate payloads.

GitHub - ambionics/phpggc: PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.GitHub

Deserialization via PHAR archive

https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf

If you can upload a file that is a valid PHAR:

• Phar file

• Tar file

• Zip file

• Image polyglot

Then if that file is opened with the phar:// protocol, then insecure deserialization can occur.

So basically, to execute the attack, you need two things:

1. Uploaded valid phar archive with malicious content

2. Injection into a filesystem call, where you can specify the phar:// protocol and open up the archive