Black Friday 2024: 25+ Ways to Save on Online Learning

Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

It's a PHP Unserialization Vulnerability Jim, but Not as We Know It

Black Hat via YouTube

Start learning Write review

Overview

Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Grab it
Explore a comprehensive conference talk on PHP unserialization vulnerabilities, focusing on previously unidentified Remote Code Execution (RCE) exploits in widely-used open source PHP web applications and libraries. Delve into the intricacies of PHP (un)serialization, stream wrappers, and the Phar file format. Learn about basic attack methodologies, vulnerability identification techniques, and examine real-world case studies involving WordPress and TCPDF. Gain insights into defense strategies and key takeaways to enhance your understanding of these critical security issues in PHP development.

Syllabus

Intro
What is PHP (un)serialization?
Introduction
Stream Wrappers
Basic Attack Methodology
Difference from "unserialize()"
Phar File Format
Phar/Tar File Format
Quick Polyglot Demo
Phar Planting
Identifying Vulnerabilities
PHPGGC / PHARGGC Payloads
Case Studies
Case Study B - Wordpress - Payload
Case Study C-TCPDF (via Contao)
Defence
Take aways

Taught by

Black Hat

Reviews

Start your review of It's a PHP Unserialization Vulnerability Jim, but Not as We Know It

Start learning

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Sign up for free
Someone learning on their laptop while sitting on the floor.