How we broke PHP, hacked Pornhub and earned $20k

The takeway:<p><pre><code> You should never use user input on unserialize. Assuming that using an up-to-date PHP version is enough to protect unserialize in such scenarios is a bad idea. Avoid it or use less complex serialization methods like JSON.</code></pre>

OT: Is there a site that curates these kinds of interestingly detailed hacks? Like Dan Luu does for debugging stories? (<a href="https:&#x2F;&#x2F;github.com&#x2F;danluu&#x2F;debugging-stories" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;danluu&#x2F;debugging-stories</a>)

That moment when the company you work at is on the front page of Hacker News xD

This is an elaborate hack and a very detailed writeup. Thanks for sharing.

&gt; Using a locally compiled version of PHP we scanned for good candidates for stack pivoting gadgets<p>Surprised that worked. Guess they got lucky and either got the comiler+optization flags the same as the PHP binary used, or the release process can create higly similar builds.

Really good write up. Some people are really smart, I wouldn&#x27;t ever be able to do that kind of stuff even after being programming for years.

I have some questions about two things in the exploit code that puzzled me:<p><pre><code> my $php_code = &#x27;eval(\&#x27; header(&quot;X-Accel-Buffering: no&quot;); header(&quot;Content-Encoding: none&quot;); header(&quot;Connection: close&quot;); error_reporting(0); echo file_get_contents(&quot;&#x2F;etc&#x2F;passwd&quot;); ob_end_flush(); ob_flush(); flush(); \&#x27;);&#x27;; </code></pre> 1. they seem to be using php to code the exploit (solely based on the $ before the variable name) but i&#x27;ve never seen the &#x27;my&#x27; keyword before, what exactly is this language?<p>2. if i understand the exploit correctly they got remote code execution by finding the pointer to &#x27;zend_eval_string&#x27; and then feeding the above code into it. doesn&#x27;t that mean the use of &#x27;eval&#x27; in the code that is being executed is unnecessary?

Appears to be experiencing the hug of death. May be quite slow

wow<p>From a legal perspective how do companies and hackerone create a binding exemption from laws used to prosecute hackers?

So does Pornhub&#x27;s bug bounty program include some number of years of free paid membership along with financial bounties? Kind of a &quot;treat us right and we&#x27;ll let you treat yourself right&quot; kind of thing?

Too bad they didn&#x27;t just go ahead and:<p>&gt; Dump the complete database of pornhub.com including all sensitive user information.<p>And of course leak the data to expose everyone that participates in this nasty business. It is such a sad thing that people are even proud to work at companies like this where humans are not worth more than a big dick or boobs.<p>And then you get around and say that child porn is so horrible. No, <i>all</i> porn is horrible and destroys our families and integrity. How can there be any dignity left if these things are held to be something good?