RCE via Deserialization: Java & PHP Gadget Chains
Deserialization gadget chains turn trusted library code into an RCE primitive — and they’ve been popping shells since 2015. This post walks through real ysoserial and PHPGGC payloads, explains exactly what the output means, and shows what an attacker does the moment they have a shell.
