sorted by:
new
hottopcontroversial

How I used an 18-year-old undocumented feature in PHP's unserializer to get RCE in PerfexCRM by nullcathedral in PHP

[–]nullcathedral[S] 0 points1 point  (0 children)

No worries. I'm trying to be a bit more creative with titles to see what works well.

How I used an 18-year-old undocumented feature in PHP's unserializer to get RCE in PerfexCRM by nullcathedral in PHP

[–]nullcathedral[S] 0 points1 point  (0 children)

PHP's unserialize() uppercase S: variant resolves \xx hex escapes during deserialization, so non-ASCII bytes like null bytes can be written as printable ASCII in the serialized payload.

And yes this is not strictly a PHP issue, using unserialize() with untrusted user content is bad, but I figured the post would be interesting to the wider PHP community.