PHP Object Injection Vulnerabilities

Nowadays, PHP can be considered as one compulsory programming language needed to build up a website for any organization. For Developer point of view, PHP is very easy to code compared with other website programming language.

Below are the example of Basic PHP code that normally use

I just played with $demo function and $string within this code that shows like above.

PHP Object Injection is a vulnerability that allows the attacker to inject any malicious code into the application or system such as SQL Injection, Path Traversal and Code Injection. However, the vulnerabilities will depend on the content of the website itself.

The condition that must be meet before any PHP Object Injection can be proceed are listed as follows:

  • A website has to encode with the PHP Magic Strings such as _wakeup and _destruct
  • When PHP code _unserialized is been called, all the attack using PHP classes will need to be declared.

I did insert all function in one PHP code which is not good for a developer to follow. By looking into the PHP code shown above function _destruct is a vulnerability for Path Traversal, function _wakeup is a vulnerability for Code Injection while function _toString is a vulnerability for SQL Injection

http://exampletest.com/index.php?../../../../etc/passwd

The URL that been shown above is an example of Path Traversal that surely most people already aware of it. Path Traversal is an attack where the hacker will trick the website application to reveal the directory to the public on the directory content.

The Second Attack that I would like to share here is Code Injection which is quite similar to Path Traversal in a sense. However, there is a few modify needed to inject the code at the web application or system. An example of the Code Injection will be shown as follows:

http://example.com/index.php?arg=1; system(‘id’)

The injection above is an command injection which it will lead to system command to reveal details of server such as uid,gid and groups of the web application.

http://example.com/index.php?arg=1; phpinfo()

As we all know that phpinfo will show all information that related to PHP from the version used until PHP support that the web application is currently use.

Finally, we came to the last attack that related to PHP Object Injection which SQL Injection. However, the SQL Injection that can be exploited from PHP Object Injection would be an easy Blind SQL Injection.

SQL Injection that been used over here are Union Select SQL Injection where it will look something such as below

http://exampletest.com/index.php?id=1 union select 1,2,3–

The example above can be considered as a Basic Union Select SQL Injection which it will show the 3 columns that been pulled out from the web application database.

Having been said as above, there is a lot of example for the Union Select SQL Injection where the people out there will find it useful here

Reference: PortSwigger: SQL injection UNION attacks, Code Injection and Mitigation with Example, What Is Path Traversal?

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *