Recently I ran into a PHP unserialize vulnerability on a production site (yes those still exist). A base64 encoded cookie was unserialized, leading to a critical vulnerability due to the presence of a large library of useful classes on the site. I was able to verify the presence of this vulnerability because one member of the unserialized object was written to the page. This meant that in addition to being interested in classes with interesting __destruct functions I could also investigate objects with interesting __toString functions. Luckily PHP has a handy one of these built in: Exception. Inserting an Exception object into the serialized string lead to the callstack being printed in the page source. The following snippet demonstrates what this looks like
<?php
function func()
{
$exception = unserialize('O:9:"Exception":0:{}');
echo $exception . "\n";
}
func();
?>
This code results in something like
Exception in /home/alkali/hacking/unserial.php:5
Stack trace:
#0 /home/alkali/hacking/unserial.php(5): unserialize('O:9:"Exception"...')
#1 /home/alkali/hacking/unserial.php(9): func()
#2 {main}
Here it isn’t very thrilling but in the wild in can reveal sensitive filesystem info as well as what types of PHP libraries are available to be leveraged into more dangerous exploits that delete files, perform arbitrary writes, and execute code. Good luck.