search

Insecure Deserialization

hashtag
PHP

LogoPage not found - HackTricksbook.hacktricks.xyzchevron-right

You can use phpggc to generate payloads.

LogoGitHub - ambionics/phpggc: PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.GitHubchevron-right

hashtag
Deserialization via PHAR archive

https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdfarrow-up-right

If you can upload a file that is a valid PHAR:

  • Phar file

  • Tar file

  • Zip file

  • Image polyglot

Then if that file is opened with the phar:// protocol, then insecure deserialization can occur.

So basically, to execute the attack, you need two things:

  1. Uploaded valid phar archive with malicious content

  2. Injection into a filesystem call, where you can specify the phar:// protocol and open up the archive

PreviousUnrestricted File UploadNextCommand Injection

Last updated