php Insecure Deserialization vulnerabilities
In this blog, we will discuss PHP insecure deserialization vulnerabilities and their prevention. The deserialization vulnerability in PHP is also known as PHP Object Injection.
Serialization and deserialization in PHP
Serialization:
The serialize()
function in PHP converts a PHP value (variable, array, object) into a byte-stream representation that can be stored in a file, transmitted across a network, or saved in a database.
![php Insecure Deserialization vulnerabilities 1 serialize function in php](https://blog.certcube.com/wp-content/uploads/2024/05/serialize-function-in-php.png)
Deserialization:
Deserialization is the process of converting a serialized string back into its original PHP data structure. This is done using the unserialize()
function in PHP. This is the opposite of serialization, which is the act of turning a data structure or object into a series of bytes for storage or transmission among devices. For example:
![php Insecure Deserialization vulnerabilities 2 Deserialization in php](https://blog.certcube.com/wp-content/uploads/2024/05/Deserialization-in-php.png)
Insecure Deserialization in PHP:
Insecure deserialization occurs when untrusted data is deserialized without proper validation, leading to potential security vulnerabilities. Attackers can manipulate serialized data to exploit vulnerabilities in the deserialization process. For example, consider the following vulnerable code:
![php Insecure Deserialization vulnerabilities 3 insecure Derilaization in php](https://blog.certcube.com/wp-content/uploads/2024/05/insecure-Derilaization-in-php.png)
If an attacker modifies the user_data
cookie to contain a malicious serialized object, they can execute arbitrary code when the unserialize()
function is called. This can lead to serious security issues, such as remote code execution.
In-depth Explanation of Insecure Deserialization
Remote code Execution (RCE): Attackers can craft serialized objects that, when deserialized, execute malicious code. For example, an attacker could serialize an object that, when deserialized, runs a system command:
![php Insecure Deserialization vulnerabilities 4 1 Rce in php](https://blog.certcube.com/wp-content/uploads/2024/05/1-Rce-in-php.png)
When $exploit
is deserialized, the __destruct()
the method is called, executing the rm -rf /
command.
Data tampering: Attackers can modify serialized data to change the behavior of the application. For example, an attacker could modify the serialized data to change a user’s role:
![php Insecure Deserialization vulnerabilities 5 2 Data tampering in php](https://blog.certcube.com/wp-content/uploads/2024/05/2-Data-tampering-in-php.png)
By changing "role"
to "admin"
, the attacker can escalate their privileges.
Object injection: Attackers can inject malicious objects into the application by manipulating serialized data. For example, an attacker could inject a file inclusion object:
![php Insecure Deserialization vulnerabilities 6 3 object injection in php](https://blog.certcube.com/wp-content/uploads/2024/05/3-object-injection-in-php.png)
When $fileInclude
is used, the contents of /etc/passwd
are included in the output.
In PHP, specific magic methods are utilized during the serialization and deserialization processes:
__sleep
: Invoked when an object is being serialized. This method should return an array of the names of all properties of the object that should be serialized. It’s commonly used to commit pending data or perform similar cleanup tasks._wakeup
is a magic method that is invoked on unserialize(). It is normally used to reestablish any database connections that may have been lost during serialization and perform other reinitialization tasks.
It is often useful during an unserialize() exploit because if it is defined for the class, it is automatically called upon object deserialization. Thus, it provides a convenient entry point to the database or to other functions in the code for POP chain purposes.__unserialize
: This method is called instead of__wakeup
(if it exists) when an object is being deserialized. It gives more control over the deserialization process compared to__wakeup
.__destruct
: When no reference to the deserialized object instance exists, __destruct() is called. It is invoked on garbage collection and is normally used to clean up references and finish other unfinished businesses associated with the object.
As it is used to clean up resources and shut down functionalities, it is very often found that __destruct() contains useful code in terms of exploitation. For example, if a __destruct() method contains code that deletes and cleans up files associated with the object, this might give the attacker an opportunity to mess with the integrity of the filesystem.__toString
: Unlike __wakeup() and __destruct(), the __toString() method is only invoked when the object is treated as a string. (Although if a __toString() method is defined for the class, it is likely that it would get used somewhere.)
The __toString() method allows a class to decide how it will react when it is treated as a string. For example, what will print if the object were to be passed into an echo() or print() function?
The exploitability of this magic method varies wildly, depending on how it is implemented. For example, here is a __toString() function that could be used to start a POP chain.
![php Insecure Deserialization vulnerabilities 7 Php insecure deserialization](https://blog.certcube.com/wp-content/uploads/2024/05/fingerprinting-insecure-derialization-in-php.png)
Now let’s start understanding Php insecure deserialization exploitation with a practical demo.
Log in to your own account and notice the session cookie contains a serialized PHP object.
From the site map, notice that the website references the file /libs/CustomTemplate.php. Right-click on the file and select “Send to Repeater”.
![php Insecure Deserialization vulnerabilities 8 custom template php](https://blog.certcube.com/wp-content/uploads/2024/05/custom-template-php.png)
In Burp repeater, notice that you can read the source code by appending a tilde (~) to the filename in the request line. In the source code, notice the Custom Template class contains the __destruct() magic method. This will invoke the unlink() method on the lock_file_path attribute, which will delete the file on this path
![php Insecure Deserialization vulnerabilities 9 destruct vulneraability](https://blog.certcube.com/wp-content/uploads/2024/05/destruct-vulneraability.png)
In Burp Decoder, use the correct syntax for serialized PHP data to create a CustomTemplate
object with the lock_file_path
attribute set to /home/carlos/morale.txt
. Make sure to use the correct data type labels and length indicators. The final object should look like this:
O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:23:"/home/carlos/morale.txt";}
And then Base64 and URL-encode this object and save it to your clipboard.
![php Insecure Deserialization vulnerabilities 10 modify session cookie](https://blog.certcube.com/wp-content/uploads/2024/05/modify-session-cookie.png)
Send a request containing the session cookie to Burp Repeater. In Burp Repeater, replace the session cookie with the modified one in your clipboard. Send the request. The __destruct()
magic method is automatically invoked and will delete Carlos’s file.
![php Insecure Deserialization vulnerabilities 11 replace sesion cookie](https://blog.certcube.com/wp-content/uploads/2024/05/replace-sesion-cookie.png)
Recent Comments