webPromedium

Lab 353 — MailForge — Insecure Deserialization via Custom Session Handler

hackadvisor

Task: PHP email campaign platform (MailForge) with custom session handler that deserializes session values prefixed with '!', inspired by CVE-2025-49113. Solution: Injected a serialized LogStreamProcessor object via the _from GET parameter on the upload endpoint, triggering RCE through the __destruct() magic method to exfiltrate the flag.

$ ls tags/ techniques/

rce php file_upload nginx deserialization object_injection unserialize gadget_chain session_handler custom_serialization cve_2025_49113 php_magic_methods

php_object_injection_via_session_handlercustom_session_deserialization_triggermagic_method_rce_via_destructcommand_output_redirect_to_webrootexclamation_prefix_deserialization_trigger

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 133 — MailForge — SSTI via Handlebars Template Preview— hackadvisor
[web][Pro]Lab 124 — SprintForge — Insecure Deserialization via Cookie Session + Debug Key Leak— hackadvisor
[web][Pro]SendForge— hackadvisor
[web][Pro]PageForge— hackadvisor
[web][Pro]KnowledgeForge — File Upload RCE via MIME Type Confusion— hackadvisor