This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "PHP Object Injection"
m |
|||
| Line 21: | Line 21: | ||
* The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium. | * The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium. | ||
| − | * This vulnerability can make the | + | * This vulnerability can make the application vulnerable to some kinds of attacks such as [[Path Traversal]], [[SQL Injection]] or [[Code Injection]]. |
==Examples== | ==Examples== | ||
| + | |||
| + | '''Example 1''' | ||
The example below shows a PHP class with an exploitable __destruct method: | The example below shows a PHP class with an exploitable __destruct method: | ||
| Line 29: | Line 31: | ||
<?php | <?php | ||
| − | class | + | class Example1 |
{ | { | ||
public $cache_file; | public $cache_file; | ||
| − | |||
function __construct() | function __construct() | ||
| Line 41: | Line 42: | ||
function __destruct() | function __destruct() | ||
{ | { | ||
| − | + | $file = "/var/www/cache/tmp/{$this->cache_file}"; | |
| + | if (file_exists($file)) @unlink($file); | ||
} | } | ||
} | } | ||
| Line 52: | Line 54: | ||
?> | ?> | ||
| + | |||
| + | </pre> | ||
| + | In this example an attacker might be able to delete an arbitrary file via a [[Path Traversal]] attack, for e.g. requesting the following URL: | ||
| + | <pre>http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}</pre> | ||
| + | |||
| + | '''Example 2''' | ||
| + | |||
| + | The example below shows a PHP class with an exploitable __wakeup method: | ||
| + | <pre> | ||
| + | <?php | ||
| + | |||
| + | class Example2 | ||
| + | { | ||
| + | private $hook; | ||
| + | |||
| + | function __construct() | ||
| + | { | ||
| + | // some PHP code... | ||
| + | } | ||
| + | |||
| + | function __wakeup() | ||
| + | { | ||
| + | if (isset($this->hook)) eval($this->hook); | ||
| + | } | ||
| + | } | ||
| + | |||
| + | // some PHP code... | ||
| + | |||
| + | $user_data = unserialize($_COOKIE['data']); | ||
| + | |||
| + | // some PHP code... | ||
| + | |||
| + | ?> | ||
| + | </pre> | ||
| + | |||
| + | In this example an attacker might be able to perform a [[Code Injection]] attack by sending an HTTP request like this: | ||
| + | |||
| + | <pre> | ||
| + | GET /vuln.php HTTP/1.0 | ||
| + | Host: testsite.com | ||
| + | Cookie: data=O%3A8%3A%22Example2%22%3A1%3A%7Bs%3A14%3A%22%00Example2%00hook%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D | ||
| + | Connection: close | ||
</pre> | </pre> | ||
| − | |||
| − | |||
==Related [[Vulnerabilities]]== | ==Related [[Vulnerabilities]]== | ||
Revision as of 18:40, 10 December 2012
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Author(s):
Last revision (mm/dd/yy): 12/10/2012
Vulnerabilities Table of Contents
Description
PHP Object Injection is an application level vulnerability which allows an attacker to perform different kinds of malicious attacks. The vulnerability occurs when user-supplied input is not properly sanitized before being used in call to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() function resulting in an arbitrary PHP object(s) injection into the application scope.
In order to successfully exploit a PHP Object Injection vulnerability two conditions must be satisfied:
- The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be abused to conduct malicious attacks.
- That exploitable class must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for that class.
Risk Factors
- The impact of this vulnerability could be High but the likelihood is low. So, the severity of this type of vulnerability is Medium.
- This vulnerability can make the application vulnerable to some kinds of attacks such as Path Traversal, SQL Injection or Code Injection.
Examples
Example 1
The example below shows a PHP class with an exploitable __destruct method:
<?php
class Example1
{
public $cache_file;
function __construct()
{
// some PHP code...
}
function __destruct()
{
$file = "/var/www/cache/tmp/{$this->cache_file}";
if (file_exists($file)) @unlink($file);
}
}
// some PHP code...
$user_data = unserialize($_GET['data']);
// some PHP code...
?>
In this example an attacker might be able to delete an arbitrary file via a Path Traversal attack, for e.g. requesting the following URL:
http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}
Example 2
The example below shows a PHP class with an exploitable __wakeup method:
<?php
class Example2
{
private $hook;
function __construct()
{
// some PHP code...
}
function __wakeup()
{
if (isset($this->hook)) eval($this->hook);
}
}
// some PHP code...
$user_data = unserialize($_COOKIE['data']);
// some PHP code...
?>
In this example an attacker might be able to perform a Code Injection attack by sending an HTTP request like this:
GET /vuln.php HTTP/1.0 Host: testsite.com Cookie: data=O%3A8%3A%22Example2%22%3A1%3A%7Bs%3A14%3A%22%00Example2%00hook%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D Connection: close
Related Vulnerabilities
Related Controls
Prevention
Do not use unserialize() function with user-supplied input, use JSON functions instead.
References
- PHP: unserialize. http://php.net/manual/en/function.unserialize.php
- PHP: Magic Methods. http://php.net/manual/en/language.oop5.magic.php
- PHP: Autoloading Classes. http://php.net/manual/en/language.oop5.autoload.php
- Shocking news in PHP exploitation. http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf
