Intro to PHP Deserialization / Object Injection
00:50 - Background information, showing variables are point in time
03:40 - Creating a PHP Class and Object
05:40 - Serializing the Object and going over the format
07:40 - Converting the script to accept a PHP Object via WebRequest
09:20 - Explaining PHP Desesrialization Gadgets
10:05 - Creating Attack.php in order to quickly generate PHP Objects
11:30 - Creating exploit.sh which will just send our malicious object to the webserver
12:45 - Going over PHP Magic Methods
13:15 - Adding the __toString class that we can create a gadget to get to in order to read files
15:00 - Adding the new class to our attack script and reading /etc/passwd
17:40 - Demonstrating "Class Path" by creating an __destruct() method in another php file and including it
19:00 - Adding the LogFile to our class path and using it to drop a file
20:00 - Didn't work! Our script errored and PHP never destroyed our object so code didn't run
21:00 - Moving the LogFile gadget to our isAdmin check, which works
21:35 - Demonstrating a way to do Fast Destruct, to immediately destroy the object... I hope I'm right, this may be wrong read PHPGGC Source to see how it works
25:14 - Showing if an function is called from another functions magic method, we can craft a gadget to get to it
25:41 - Adding pwned function to attack. This is prior to us having a magic method call pwned, just to demonstrate you can't call any function.
27:20 - Making ReadFile() call pwn when destroyed
Watch video Intro to PHP Deserialization / Object Injection online without registration, duration hours minute second in high quality. This video was added by user IppSec 21 December 2019, don't forget to share it with your friends and acquaintances, it has been viewed on our site 60,452 once and liked it 1.4 thousand people.