2025-08-05 –, Firenze
Some PHP libraries mitigate PHP Object Injection by adding a __wakeup() that throws an exception in classes that could serve as Property-oriented Programming (POP) gadgets, eliminating them in one stroke. Traditional bypasses exploit interpreter bugs, yet patches quickly kill those attacks. This talk introduces a new bypass built on an Arbitrary Object Instantiation (AOI) primitive: we trigger dynamic class instantiation entirely outside the process of unserialize(), so the guarding __wakeup() never runs. The only prerequisite is a POP gadget that executes new $className(...). Because the technique relies solely on core language behavior, future patches are unlikely to break it. A live demo revives the retired Guzzle/RCE1 chain of PHPGGC and gains remote code execution on a default Neos Flow installation.
Takeaways — Pentesters: learn how to resurrect “dead” chains and locate AOI primitives; Developers: adopt practical defenses such as migrating to JSON or adding HMAC-protected serialization.
This bypass was conceived about 5 years ago when I tried to hack an Neos Flow application in our business. At the time, I was a novice in POI, but the change of mindset allowed me to build the bypass technique. I am currently out of the field due to a change in my life stage, but I am challenging the CFP to prove that everyone can create opportunities to present their research even if they are out of the field.
This content has been presented at m0leCon this year, a security conference organized by the CTF team "pwnthem0le" and "Politecnico di Torino", the oldest politechnic university in Italy. The presentation covered an introduction to PHP Object Injection, explained how POP gadgets are mitigated by overriding __wakeup(), and demonstrated how to bypass the mitigation to revive the Guzzle/RCE1 gadget.
It was the first technical presentation for me and some subjects and regrets have remained. So I would like to improve my in-English presentation skill at Proving Ground in Security BSides Las Vegas 2025.
Hiroki MATSUKUMA (@hhc0null) is a middle manager at Cyber Defense Institute, Inc. in Japan, where he leads reverse engineering section. His main areas of interests involve vulnerability research and exploit development. 'House of Einherjar', a GLibc heap exploitation technique used in CTFs, is one of his works.