Abusing deserialization
Exploiting deserialization relies on built-in methods, which execute automatically when an object is instantiated or destroyed. PHP, for example, provides several of these methods for every object:
__construct()__destruct()__toString()__wakeup()…and more!
When a new object is instantiated, __construct() is called; whereas when a new object is destroyed or during garbage collection, __destruct() is automatically executed. The __toString() method provides a way to represent the object in string format. This is different to serialization, as there is no __fromString() equivalent to read the data back. The __wakeup() method is executed when an object is deserialized and instantiated in memory.
PHP provides serialization capabilities via the serialize() and unserialize() functions. The output is a human-readable string that can be easily transferred over HTTP or other protocols. The string output describes the object, its properties, and the values. PHP can serialize...
