Welcome back on Exploitnetworking! Today we’ll see an interesting writeup of 35c3ctf ctf for a challenge with an unserialize that permit you to obtain an object injection.
The challenge gave us the vulnerable source code:
From code we can see that for obtain the flag we need to trigger the __destruct function. Remember that this function will be performed at the end of the script or during a normal destruct of the object that can be happen later an error!
I have create a simple php script for create an array serialized:
that in output gave me the following result:
The unserialize of vulnerable code will take the array and deserialize it, the first thing that will unserialize will be the index zero, after that the index one and so on.
If we remove the last semicolon, the unserialize fails, performing the __destruct method on all unserialize objects created until that moment!
- If you are interested in web security, read this book 🙂