00:50 - Background information, showing variables are point in time
03:40 - Creating a PHP Class and Object
05:40 - Serializing the Object and going over the format
07:40 - Converting the script to accept a PHP Object via WebRequest
09:20 - Explaining PHP Desesrialization Gadgets
10:05 - Creating Attack.php in order to quickly generate PHP Objects
11:30 - Creating exploit.sh which will just send our malicious object to the webserver
12:45 - Going over PHP Magic Methods
13:15 - Adding the __toString class that we can create a gadget to get to in order to read files
15:00 - Adding the new class to our attack script and reading /etc/passwd
17:40 - Demonstrating "Class Path" by creating an __destruct() method in another php file and including it
19:00 - Adding the LogFile to our class path and using it to drop a file
20:00 - Didn't work! Our script errored and PHP never destroyed our object so code didn't run
21:00 - Moving the LogFile gadget to our isAdmin check, which works
21:35 - Demonstrating a way to do Fast Destruct, to immediately destroy the object... I hope I'm right, this may be wrong read PHPGGC Source to see how it works
25:14 - Showing if an function is called from another functions magic method, we can craft a gadget to get to it
25:41 - Adding pwned function to attack. This is prior to us having a magic method call pwned, just to demonstrate you can't call any function.
27:20 - Making ReadFile() call pwn when destroyed