Updated April 20, 2023
Introduction of PHP Object Injection
The vulnerability at an application level which could possibly allow the attackers to attempt to perform several kinds of attacks that are malicious such as path traversal attack, code injection, application denial of service, SQL injection etc. is called PHP object injection or PHP deserialization and the cause of this vulnerability is a not properly sanitized input supplied by the user to the unserialize() function in PHP and the attackers can inject arbitrary PHP objects into an application by passing strings that are ad hoc serialized through the vulnerable unserialize() function and this vulnerability in PHP leads to remote code execution.
Syntax
The syntax to declare serialize() function in PHP is as follows:
unserialize(value);
where value is the value to be unserialized that can possibly lead to object injection.
Working of Object Injection in PHP
Working of object injection in PHP is as follows:
- The vulnerability at an application level that could possibly allow the attackers to attempt to perform several kinds of attacks that are malicious such as path traversal attack, code injection, application denial of service, SQL injection, etc. is called PHP object injection or PHP deserialization.
- The cause of this vulnerability is a not properly sanitized input supplied by the user to the unserialize() function in PHP.
- The attackers can inject arbitrary PHP objects into an application by passing strings that are ad hoc serialized through the vulnerable unserialize() function.
- This vulnerability in PHP leads to remote code execution.
Examples of PHP Object Injection
Following are the examples are given below:
Example #1
PHP program to illustrate object injection to convert a given value as a sequence of bits so that it can be stored anywhere and then unserialize it using unserialize() function:
Code:
<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("Welcome", "to", "PHP"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>
Output:
In the above program, the array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value. Then the returned string from the serialize() function is displayed as the output on the screen. Then the serialized data is passed through the unserialize function and the result is stored in a variable called result. Then the unserialized data is displayed as the output on the screen. The output is shown in the snapshot above.
Example #2
PHP program to illustrate object injection to convert a given value as a sequence of bits so that it can be stored anywhere and then unserialize it using unserialize() function:
Code:
<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("Learning", "is", "fun"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>
Output:
In the above program, the array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value. Then the returned string from the serialize() function is displayed as the output on the screen. Then the serialized data is passed through the unserialize function and the result is stored in a variable called result. Then the unserialized data is displayed as the output on the screen. The output is shown in the snapshot above.
Example #3
PHP program to illustrate object injection to convert a given value as a sequence of bits so that it can be stored anywhere and then unserialize it using unserialize() function:
Code:
<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("We", "love", "India"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>
Output:
In the above program, the array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value. Then the returned string from the serialize() function is displayed as the output on the screen. Then the serialized data is passed through the unserialize function and the result is stored in a variable called result. Then the unserialized data is displayed as the output on the screen. The output is shown in the snapshot above.
Recommended Articles
This is a guide to PHP Object Injection. Here we also discuss the introduction and working of object injection in PHP along with different examples and its code implementation. You may also have a look at the following articles to learn more –