Exploiting PHP deserialization vulnerabilities without unserialize().
Magic methods that can be used to kick start your RCE chain.
Don’t despair when you can’t RCE. How to achieve authentication bypass and SQL injection using PHP’s unserialize().
How PHP’s type comparison features lead to vulnerabilities, and how to avoid them.
Achieving RCE with POP chain exploits.
How PHP’s unserialize() works, and why it leads to vulnerabilities.
A totally unscientific analysis of deserialization vulnerabilities found in the wild.
Intro to PHP object injection vulnerabilities.