- unserialize: documentation ( source)
- serialize: documentation ( source)
<?php
class foo {
public function __wakeup() {
echo 'exploited';
}
}
$userInput = serialize(new foo);
$serialisedStr = serialize([
$userInput,
]);
unserialize($serialisedStr);