Shulou(Shulou.com)06/03 Report--

Editor to share with you the example analysis of object injection in PHP, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Preface

Although this article is called PHP object injection, it is essentially related to the incorrect use of PHP serialization. If you read the SESSION deserialization mechanism in PHP, you will have a general understanding of serialization. PHP object injection is essentially caused by serialization.

Basic knowledge

There may be some magic functions (magic functions) in the php class, which are automatically triggered when the class makes certain events, for example, _ _ construct () is called when an object is created, _ _ destruct () is called when an object is destroyed, and _ _ toString is called when the object is treated as a string. Common magic functions are _ _ construct (), _ _ destruct (), _ _ toString (), _ _ sleep (), _ _ wakeup ().

Examples are as follows:

Principle

Why do you use such a method as sequential words? The main thing is to facilitate the transmission of data, and after the data is restored, the properties of the data will not change. For example, after deserializing an object, all the information about that object is saved. At the same time, you can also save the serialized values in the file so that you can read the data directly from the file and deserialize it when needed. Use serialize () and unserialize () in PHP for serialization and deserialization.

The harm of serialization is that if the serialized content is user-controllable, the user can inject well-constructed payload. When sending serialization, it is possible to start some magic methods in the object, causing unexpected harm.

Object injection

In essence, serialize () and unserialize () have no vulnerabilities in the internal implementation of PHP, which is mainly caused by the application's handling of objects, magic functions, and serialization-related problems.

If in a program, a class is used to temporarily store logs in a file, the log file is deleted when the _ _ destruct () method is called.

The code is roughly as follows:

Logfile.php

Using LogClass in other classes

LogLogin.php

The above code is a normal use of the LogClass class to complete logging.

The following shows examples of the use of object injection vulnerabilities.

News.php

The code shown above uses a LogClass object and also accepts input from the user to serialize it into a User object.

When we submit the following data

News.php?user=O:4: "User": 2: {SRV 3: "age"; iRV 20: Srig 4: "name"; Srig 4: "John";}

Such statements can be used normally, and it is also the method that programmers want to use.

However, if the submitted data is:

News.php?user=O:8: "LogClass": 1: {Sv11: "logfilename"; SRV 9: ".htaccess";}

Then delete .htaccess is finally output.

You can see that the constructed data resulted in the execution of the _ _ destruct () method in LogClass and then the deletion of important configuration files in the Web site.

As can be seen from the above example, if the user's input is not strictly controlled and the user's input is deserialized, it is possible to implement a code execution vulnerability.

Injection point

PHP object injection is generally on top of the logic of the program. For example, a User class defines _ _ toString () for formatted output, but there is also a File class that defines a _ _ toString () method to read the contents of the file and display it, so it is possible for an attacker to construct a File class through the deserialization of the User class to read the configuration file of the Web site.

User.php

Normally we should pass in a string serialized by UserClass, such as user.php?usr=O:9: "UserClass": 2: {SRAV 3: "age"; iUserClass 18: "name"; Srig 3: "Tom";}, and the page will end up with User Tom is 18 years old. .

This is also an ideal way to use.

But if the data we pass in is user.php?usr=O:9: "FileClass": 1: {user.php?usr=O:9 8: "filename"; SREV 10: "config.php";}, the final output of the page is that filename has changed = = > config.php, and the _ _ toString () method in FileClass is executed.

This allows you to read the source code in config.php.

Loophole mining

This kind of hole is generally very difficult to dig, although the display looks very simple, but in fact, the conditions required are quite stringent, and the loopholes in object injection are generally found by auditing the source code to see whether the parameters of unserialize () are controllable and whether there is the possibility of deserializing other parameter objects.

Defense

To test the various boundary conditions in the program

To prevent the user from being controllable to the unserialize () parameter, consider using the json_decode method to pass the parameter.

The above is all the content of the article "sample Analysis of object injection in PHP". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.