Abusing deserialization
Exploiting deserialization relies on built-in methods, which execute automatically when an object is instantiated or destroyed. PHP, for example, provides several of these methods for every object:
__construct()
__destruct()
__toString()
__wakeup()
- …and more!
When a new object is instantiated, __construct()
is called; whereas when a new object is destroyed or during garbage collection, __destruct()
is automatically executed. The __toString()
method provides a way to represent the object in string format. This is different to serialization, as there is no __fromString()
equivalent to read the data back. The __wakeup()
method is executed when an object is deserialized and instantiated in memory.
PHP provides serialization capabilities via the serialize()
and unserialize()
functions. The output is a human-readable string that can be easily transferred over HTTP or other protocols. The string output describes the object, its properties, and the values...