The vulnerability at an application level which could possibly allow the attackers to attempt to perform several kinds of attacks that are malicious such as path traversal attack, code injection, application denial of service, SQL injection etc. is called PHP object injection or PHP deserialization and the cause of this vulnerability is a not properly sanitized input supplied by the user to the unserialize() function in PHP and the attackers can inject arbitrary PHP objects into an application by passing strings that are ad hoc serialized through the vulnerable unserialize() function and this vulnerability in PHP leads to remote code execution.
Start Your Free Software Development Course
Web development, programming languages, Software testing & others
Syntax
The syntax to declare serialize() function in PHP is as follows:
unserialize(value);
where value is the value to be unserialized that can possibly lead to object injection.
Working of object injection in PHP is as follows:
Following are the examples are given below:
PHP program to illustrate object injection to convert a given value as a sequence of bits so that it can be stored anywhere and then unserialize it using unserialize() function:
Code:
<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("Welcome", "to", "PHP"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>Output:
In the above program, the array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value. Then the returned string from the serialize() function is displayed as the output on the screen. Then the serialized data is passed through the unserialize function and the result is stored in a variable called result. Then the unserialized data is displayed as the output on the screen. The output is shown in the snapshot above.
PHP program to illustrate object injection to convert a given value as a sequence of bits so that it can be stored anywhere and then unserialize it using unserialize() function:
Code:
<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("Learning", "is", "fun"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>Output:
In the above program, the array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value. Then the returned string from the serialize() function is displayed as the output on the screen. Then the serialized data is passed through the unserialize function and the result is stored in a variable called result. Then the unserialized data is displayed as the output on the screen. The output is shown in the snapshot above.
PHP program to illustrate object injection to convert a given value as a sequence of bits so that it can be stored anywhere and then unserialize it using unserialize() function:
Code:
<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("We", "love", "India"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>Output:
In the above program, the array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value. Then the returned string from the serialize() function is displayed as the output on the screen. Then the serialized data is passed through the unserialize function and the result is stored in a variable called result. Then the unserialized data is displayed as the output on the screen. The output is shown in the snapshot above.
The above is the detailed content of PHP Object Injection. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
