Home  >  Article  >  Backend Development  >  PHP Object Injection

PHP Object Injection

王林
王林Original
2024-08-29 12:36:32367browse

The vulnerability at an application level which could possibly allow the attackers to attempt to perform several kinds of attacks that are malicious such as path traversal attack, code injection, application denial of service, SQL injection etc. is called PHP object injection or PHP deserialization and the cause of this vulnerability is a not properly sanitized input supplied by the user to the unserialize() function in PHP and the attackers can inject arbitrary PHP objects into an application by passing strings that are ad hoc serialized through the vulnerable unserialize() function and this vulnerability in PHP leads to remote code execution.

Start Your Free Software Development Course

Web development, programming languages, Software testing & others

Syntax

The syntax to declare serialize() function in PHP is as follows:

unserialize(value);

where value is the value to be unserialized that can possibly lead to object injection.

Working of Object Injection in PHP

Working of object injection in PHP is as follows:

  • The vulnerability at an application level that could possibly allow the attackers to attempt to perform several kinds of attacks that are malicious such as path traversal attack, code injection, application denial of service, SQL injection, etc. is called PHP object injection or PHP deserialization.
  • The cause of this vulnerability is a not properly sanitized input supplied by the user to the unserialize() function in PHP.
  • The attackers can inject arbitrary PHP objects into an application by passing strings that are ad hoc serialized through the vulnerable unserialize() function.
  • This vulnerability in PHP leads to remote code execution.

Examples of PHP Object Injection

Following are the examples are given below:

Example #1

PHP program to illustrate object injection to convert a given value as a sequence of bits so that it can be stored anywhere and then unserialize it using unserialize() function:

Code:

<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("Welcome", "to", "PHP"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>

Output:

PHP Object Injection

In the above program, the array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value. Then the returned string from the serialize() function is displayed as the output on the screen. Then the serialized data is passed through the unserialize function and the result is stored in a variable called result. Then the unserialized data is displayed as the output on the screen. The output is shown in the snapshot above.

Example #2

PHP program to illustrate object injection to convert a given value as a sequence of bits so that it can be stored anywhere and then unserialize it using unserialize() function:

Code:

<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("Learning", "is", "fun"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>

Output:

PHP Object Injection

In the above program, the array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value. Then the returned string from the serialize() function is displayed as the output on the screen. Then the serialized data is passed through the unserialize function and the result is stored in a variable called result. Then the unserialized data is displayed as the output on the screen. The output is shown in the snapshot above.

Example #3

PHP program to illustrate object injection to convert a given value as a sequence of bits so that it can be stored anywhere and then unserialize it using unserialize() function:

Code:

<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("We", "love", "India"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>

Output:

PHP Object Injection

In the above program, the array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value. Then the returned string from the serialize() function is displayed as the output on the screen. Then the serialized data is passed through the unserialize function and the result is stored in a variable called result. Then the unserialized data is displayed as the output on the screen. The output is shown in the snapshot above.

The above is the detailed content of PHP Object Injection. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:Object in PHPNext article:Object in PHP