$ pkg install php73-readline

$ php -a
php >


Packagist – The PHP Package Repository

$ curl -sS | php
Some settings on your machine make Composer unable to work properly.
Make sure that you fix the issues listed below and run this script again:

The phar extension is missing.
Install it or recompile php without --disable-phar

The filter extension is missing.
Install it or recompile php without --disable-filter

$ pkg install php73-phar
$ pkg install php73-filter

Serialization / Unserialization

  • Object Injection
  • Pop Chains
  • Object Relation Mapper
  • LFI Scripts

Intro to PHP Deserialization / Object Injection
Advanced PHP Deserialization – Phar Files


class User {
    public $username;
    public $isAdmin;

    public function PrintData() {
        if ($this->isAdmin) {
            echo $this->username . " is an admin\n";
        } else {
            echo $this->username . " is NOT an admin\n";


$obj = new User();
$obj->username = 'ippsec';
$obj->isAdmin = True;
echo serialize($obj);

Type:Length:Name of class/variable:How many items in the object

O = Object
s = String
b = Boolean
$obj = unserialize($_POST['ippsec']);
$ php -S &
[1] 1245

PHP 7.3.26 Development Server started at Thu Jan 14 11:56:06 2021
Listening on
Document root is /usr/home/andreas/composer
Press Ctrl-C to quit.

$ curl -XPOST -d 'ippsec=O:4:"User":2:{s:8:"username";s:6:"ippsec";s:7:"isAdmin";b:1;}' localhost:8070/test.php
[Thu Jan 14 12:01:17 2021] [200]: /test.php

ippsec is an admin

Local File Inclusion (LFI)

Local File Inclusion (LFI) — Web Application Penetration Testing

Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser. This vulnerability exists when a web application includes a file without correctly sanitising the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server.

Object Relational Mapper (ORM)

Leave a Reply

Your email address will not be published. Required fields are marked *