Diving into unserialize(): More than RCE

Achieving authentication bypass and SQL injection using PHP’s unserialize()

Vickie Li
Vickie Li
Sep 28, 2019 · 4 min read
Don’t despair when you can’t RCE.

Last time, we talked about how PHP’s unserialize leads to vulnerabilities, and how an attacker can utilize it to achieve RCE.