PHP Object Injection occurs when an insecure user input is passed through the PHP unserialize()
function. When we pass a serialized string of an object of a class to an application, the application accepts it, and then PHP reconstructs the object and usually calls magic methods if they are included in the class. Some of the methods are __construct()
, __destruct()
, __sleep()
, and __wakeup()
.
This leads to SQL injections, file inclusions, and even remote code execution. However, in order to successfully exploit this, we need to know the class name of the object.
The following steps demonstrate PHP Object Injection:
- Here, we have an app that is passing serialized data in the
get
parameter:
- Since we have the source code, we will see that the app is using
__wakeup()
function and the class name isPHPObjectInjection
:
- Now we can write a code with the same class name to produce a serialized object containing our own command that we want to execute on the...