Basic Introduction to PHP Deserialization
Intro to Object Injection
PHP Serialization
Before we dive in let’s take sometime to talk a bit about PHP serialization,
Which is a method used to package and transmit data, so let’s think about it like IKEA products, when we buy a table from IKEA, the engineers at IKEA will dissemble the table, and give it to us by pieces, then we get it home and assemble it, the process of assembling the table revolves around two functions, serialize() and unserialize().
things to note from the process that serialization is known to be used as cache like session or cookie
To Further explain that, we’re going to create simple php code and check few things on the way.
Note, I’m going to use Kali for this practice.
I’ve created file and called object.php
it’s very simple code but let’s explain, have class User and in it we have variables username, admin,
then we have a function and call it printData, and make two statements
if the variable username is equal to admin this we print the variable this and then we print is an Admin
if the variable user not equal to admin then we print the variable “this” and then we print is not an admin.
after that we add new object to the class, and we make the username Jack and we tell it it’s not an admin and then we print it,
we run the code and we see that Jack is not an Admin,
Let’s now put Tony and make him an admin like the picture above and run the code:
as you see Tony is an admin,
so that was a basic php code to create an object, let’s now serialize this object and see how php stores it:
we added the code above and run the code again
the picture above we see how php stores serialized object. which is so we can see it starts with a letter in our case we letters O for object and letter s for string and letter b for boolean for admin, the we see number after the letter and that would the number bites User is 4, username is 8 etc… after the object we see the number 2 which tell us how many items in this object and it’s the first item is username which is Tony and the second item which is admin, and the admin is currently set to 1 because in our code we have Tony is admin, so it will become 0 if we change that to False.
now that we have the serialized object, let’s go ahead and save that code and then create a vulnerable deserialization code to deserialize it.
I will create new file and call de.php
the beginning of the code the same as our object code but we asked the object in de.php to accept and deserialize ‘cmd’ which is our input then we will print the results
I will start php http server with php -S 127.0.0.1:80 then i will call the http post request using curl and specify the file name which is de.php and input our serialized data that we got from the old file
I used tmux to split my bash into two bashes. and as we see in the picture above the deserialization works, we got the http server saying we hit the file and we got Tony is an Admin from curl command.
more so we can see if we change the b value to 0 we get that Tony is not an admin, and this is how we can inject objects in php, Very simple..
from the example above we saw how we turned performed a basic objection to a simple php code, but the problem is the code we created it self is not exploitable because there is nothing dangerous in it, so let’s fix that and create new program with some exploitable codes in it, we will call the program vulnerable.php.
but before we do that we should know that in order to make php deserialization attack works we need to use php magic methods which is one of the following functions:
__construct(), __destruct(), __call(), __callStatic(), __get(), __set(), __isset(), __unset(), __sleep(), __wakeup(), __serialize(), __unserialize(), __toString(), __invoke(), __set_state(), __clone(), and __debugInfo().
in the following vulnerable.php program i will use the function __toString() and see what we can do with it:
the code above is has object user which contain another object fileread and in it there is string contain file /etc/passwd
let’s run the code and copy the result:
now let’s add a file read into our de.php
we added ReadFile and we put file_get_contents to to return the file requested let’s see what will happen if we run our curl command with the newly generated serialized object we create earlier:
and we read the /etc/passwd, now you can change the file name inside vulnerable.php to anything you want, generate another serialized code and re run against de.php. so you get the point of how we can inject the code in general,
finally I’m including the magic methods from php manual in case you’re wondering how to avoid this type of attack:
Thank you for reading and hope you’ve learned new thing,
Keep safe
