Difference between revisions of "PHP Object Injection"

From OWASP
Jump to: navigation, search
m
Line 21: Line 21:
  
 
* The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium.
 
* The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium.
* This vulnerability can make the website vulnerable to some other types of attacks such as [[Path Traversal]], [[SQL Injection]] or [[Code Injection]].
+
* This vulnerability can make the application vulnerable to some kinds of attacks such as [[Path Traversal]], [[SQL Injection]] or [[Code Injection]].
  
 
==Examples==
 
==Examples==
 +
 +
'''Example 1'''
  
 
The example below shows a PHP class with an exploitable __destruct method:
 
The example below shows a PHP class with an exploitable __destruct method:
Line 29: Line 31:
 
<?php
 
<?php
  
class VulnCache
+
class Example1
 
{
 
{
 
   public $cache_file;
 
   public $cache_file;
  public $cache_data;
 
  
 
   function __construct()
 
   function __construct()
Line 41: Line 42:
 
   function __destruct()
 
   function __destruct()
 
   {
 
   {
       file_put_contents($this->cache_file, $this->cache_data);
+
       $file = "/var/www/cache/tmp/{$this->cache_file}";
 +
      if (file_exists($file)) @unlink($file);
 
   }
 
   }
 
}
 
}
Line 52: Line 54:
  
 
?>
 
?>
 +
 +
</pre>
 +
In this example an attacker might be able to delete an arbitrary file via a [[Path Traversal]] attack, for e.g. requesting the following URL:
 +
<pre>http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}</pre>
 +
 +
'''Example 2'''
 +
 +
The example below shows a PHP class with an exploitable __wakeup method:
 +
<pre>
 +
<?php
 +
 +
class Example2
 +
{
 +
  private $hook;
 +
 +
  function __construct()
 +
  {
 +
      // some PHP code...
 +
  }
 +
 +
  function __wakeup()
 +
  {
 +
      if (isset($this->hook)) eval($this->hook);
 +
  }
 +
}
 +
 +
// some PHP code...
 +
 +
$user_data = unserialize($_COOKIE['data']);
 +
 +
// some PHP code...
 +
 +
?>
 +
</pre>
 +
 +
In this example an attacker might be able to perform a [[Code Injection]] attack by sending an HTTP request like this:
 +
 +
<pre>
 +
GET /vuln.php HTTP/1.0
 +
Host: testsite.com
 +
Cookie: data=O%3A8%3A%22Example2%22%3A1%3A%7Bs%3A14%3A%22%00Example2%00hook%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D
 +
Connection: close
 
</pre>
 
</pre>
In this example an attacker might be able to create a new PHP file with arbitrary code, requesting the following URL:
 
<pre>http://site/vuln.php?data=O:9:"VulnCache":2:{s:10:"cache_file";s:8:"test.php";s:10:"cache_data";s:21:"<?php+evil_code();+?>";}</pre>
 
  
 
==Related [[Vulnerabilities]]==
 
==Related [[Vulnerabilities]]==

Revision as of 13:40, 10 December 2012

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Author(s):

Last revision (mm/dd/yy): 12/10/2012

Vulnerabilities Table of Contents

Description

PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks. The vulnerability occurs when user-supplied input is not properly sanitized before being used in call to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() function resulting in an arbitrary PHP object(s) injection into the application scope.

In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied:

  • The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to conduct malicious attacks.
  • That exploitable class must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for that class.

Risk Factors

  • The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium.
  • This vulnerability can make the application vulnerable to some kinds of attacks such as Path Traversal, SQL Injection or Code Injection.

Examples

Example 1

The example below shows a PHP class with an exploitable __destruct method:

<?php

class Example1
{
   public $cache_file;

   function __construct()
   {
      // some PHP code...
   }

   function __destruct()
   {
      $file = "/var/www/cache/tmp/{$this->cache_file}";
      if (file_exists($file)) @unlink($file);
   }
}

// some PHP code...

$user_data = unserialize($_GET['data']);

// some PHP code...

?>

In this example an attacker might be able to delete an arbitrary file via a Path Traversal attack, for e.g. requesting the following URL:

http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}

Example 2

The example below shows a PHP class with an exploitable __wakeup method:

<?php

class Example2
{
   private $hook;

   function __construct()
   {
      // some PHP code...
   }

   function __wakeup()
   {
      if (isset($this->hook)) eval($this->hook);
   }
}

// some PHP code...

$user_data = unserialize($_COOKIE['data']);

// some PHP code...

?>

In this example an attacker might be able to perform a Code Injection attack by sending an HTTP request like this:

GET /vuln.php HTTP/1.0
Host: testsite.com
Cookie: data=O%3A8%3A%22Example2%22%3A1%3A%7Bs%3A14%3A%22%00Example2%00hook%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D
Connection: close

Related Vulnerabilities

Related Controls

Prevention

Do not use unserialize() function with user-supplied input, use JSON functions instead.

References