Tags: serialization web 

Rating: 5.0

We can call any function. Call file_puts_contents() to fill tmp session challenge file with serialized payload and we overwrite session file in session.save_path (/var/lib/php/sessions) using copy(), call eval() function inside verifyFromMath().

details:
https://blog.hrdn.us/insomnihack-2018-vulnshop/

Original writeup (https://blog.hrdn.us/insomnihack-2018-vulnshop/).