Exploiting PHP deserialization
Intro to PHP object injection vulnerabilities
Serialization is when an object in a programming language (say, a Java or PHP object) is converted into a format that can be stored or transferred. Whereas deserialization refers to the opposite: it’s when the serialized object is read from a file or the network and converted back into an object.
Insecure deserialization vulnerabilities happen when applications deserialize objects without proper sanitization. An attacker can then manipulate serialized objects to change the program’s flow.
Today, let’s talk about PHP object injections. They are insecure deserialization vulnerabilities that happen when developers deserialize PHP objects recklessly.
Serialization in PHP
To understand PHP object injections, you have to first understand how PHP serialize and deserialize objects.
Serializing
When you need to store a PHP object or transfer it over the network, you use serialize() to pack it up.
serialize(): PHP object -> plain old string that represents the obj
When you need to use that data, use unserialize() to unpack and get the underlying object.
unserialize(): string…