Deserialisation in PHP
Most of these exploits follow a path that leads to direct exploitability when unserialize is called on attacker controlled data. By controlling the object that is constructed and destroyed, the __construct or __destroy functions will call the attacker controlled function. Alternatively a slower path to exploitation might also exist, where the object is later called on by the application, but direct exploitation result is preferable and starts from the internal functions that are always called on deserialisation.
Research on __call (Added 2023-12-09)
As shown in
https://fenrisk.com/publications/blogpost/2023/11/30/gadgets-chain-in-laravel/ you can have an exploit chain through the __call internal function, if member variables contain an object on which a (non-existing) member function is called.
This snippet could lead to a call of the __call function inside the member object $duration inside $this. If that __call function can lead to a call_user_func or a call on a variable, we can achieve exploitation.
public function __destruct() { $remaining = $this->duration->copy(); }
Research on destructors (Added 2023-11-29)
This code can be found in production code, and was spotted in wordpress.
VULNERABILITY: (Research) PHP destructor '__destruct' contains 'call_user_func' call on member variable. Useful for deserialisation gadgets. (104) 2_destructor_with_call_user_function.php::2122 ; }
The researcher will have to check if possibilities exist to call a useful function with a useful parameter.
Research on directly controlled variables
This code is sometimes used in examples or CTFs.
Deserialization is not automatically exploitable in PHP. It can be exploitable if the functionality allows code paths that were not foreseen. This can happen when developers do not forsee that forged objects could be offered for deserialization.
php $sess_data = @unserialize($_COOKIE["$sess_cookie"]);
Links
https://medium.com/swlh/exploiting-php-deserialization-56d71f03282a https://fenrisk.com/publications/blogpost/2023/11/30/gadgets-chain-in-laravel/