PHP Object Injection

Author(s):
 * Egidio Romano

Last revision (mm/dd/yy): //

Vulnerabilities Table of Contents

Description
PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize function resulting in an arbitrary PHP object(s) injection into the application scope.

In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied:


 * The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to carry out malicious attacks.
 * This exploitable class must be declared when the vulnerable unserialize is being called, otherwise "object autoloading" must be supported for that class.

Examples
Example 1

The example below shows a PHP class with an exploitable __destruct method: cache_file}"; if (file_exists($file)) @unlink($file); } }

// some PHP code...

$user_data = unserialize($_GET['data']);

// some PHP code...

?> In this example an attacker might be able to delete an arbitrary file via a Path Traversal attack, for e.g. requesting the following URL: http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}

Example 2

The example below shows a PHP class with an exploitable __wakeup method: hook)) eval($this->hook); } }

// some PHP code...

$user_data = unserialize($_COOKIE['data']);

// some PHP code...

?> In this example an attacker might be able to perform a Code Injection attack by sending an HTTP request like this: GET /vuln.php HTTP/1.0 Host: testsite.com Cookie: data=O%3A8%3A%22Example2%22%3A1%3A%7Bs%3A14%3A%22%00Example2%00hook%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D Connection: close

Related Vulnerabilities

 * Category:Input Validation Vulnerability

Related Controls

 * Input Validation
 * Static Code Analysis

Prevention
Do not use unserialize function with user-supplied input, use JSON functions instead.