PHP Object Injection

Requirements

1.PHP OOP Basic ( Objects, Class, Magic Methods)
2.Serialization 
3.Code Execution leads to RCE
4.Source Code Review

Simple Class and Object ( ref )

Example Code

<?php

class LOL
{
public $var="I am properties";

public function hello()
{
return "I am method";
}
}

$obj=new LOL();

print $obj->var."\r\n";
print $obj->hello()."\r\n";

?>

Variable လို႕သိထားခဲ့တဲ့ အရာေတြက Class တစ္ခုတည္းမွာဆိုရင္ Properties လို႕ေခၚတယ္။ Function ေတြကေတာ့ Method ျဖစ္သြားတယ္။ ဒီေတာ့ အေပၚက Code example မွာ $var ဆိုတဲ့ property ရယ္ hello ဆိုတဲ့ Method တစ္ခုရယ္ရွိမယ္။ Class ေတြကို ျပန္သံုးတဲ့အခါ Object ေတြလိုလာတယ္။ Example က ဘာကိုျပသလဲဆိုရင္ Obj ကေနတစ္ဆင့္ Class ထဲက Method ေတြ property ေတြကို သံုးတဲ့ပံုစံေလးကိုျပတာျဖစ္ပါတယ္။ Result ေလးကိုၾကည့္လိုက္ရေအာင္

Variables are known as properties in a Class. Functions are called Method in a Class. According to above example php code , We have a property named $var and a method named hello. We need objects to use this Class. In this example , we will understand how Objects, Class , Properties and Methods work together. You can see in following result.

Magic Methods ( ref )

PHP မွာ Magic Methods ေတြရွိတယ္။ ဘယ္လိုအလုပ္လုပ္ဆိုတာကို Reference ေပးထားတဲ့ဆီမွာ စာဖတ္လို႕ရသလို က်ေနာ္႕လိုစမ္းလိုက္လဲရတယ္။

PHP has magic methods. You can read how magic methods work at PHP Documentation.

Example Code

<?php

class LOL
{
public $var="I am properties";

public function __construct()
{
print "__constuct method called! \r\n";
}

public function hello()
{
return "I am method";
}

public function __destruct()
{
print "__destruct method called! \r\n";
}
}

$obj=new LOL();

print $obj->var."\r\n";
print $obj->hello()."\r\n";

?>

ဒီေတာ့ Magic method ေတြဘယ္လိုအလုပ္လုပ္သလဲဆိုတာ Run ၾကည့္ရင္ အျမန္ဆံုးသေဘာေပါက္နိုင္တယ္။

When we run above example code , we can see how php magic methods work.

Result အရ __contruct က run လိုက္တာနဲ႕ အရင္ဆံုးစအလုပ္လုပ္တဲ့ Method တစ္ခုျဖစ္တယ္ဆိုတာ ကိုက်ေနာ္တို႕ေတြ႕ရတယ္။ ဒီေတာ့ အရင္ဆံုးစအလုပ္လုပ္ေစခ်င္တဲ့ အရာေတြကို ဒီ Method ထဲမွာေရးၾကတယ္။__destruct ကေတာ့ ေနာက္ဆံုးအလုပ္လုပ္မယ္ေပါ့။

According to the result , __constuct method run in script beginning state. __destuct method will run in last. We don’t need to call this methods , because this is magic methods.

Serialization, Wakeup  Magic Method ( ref )

Serialization Process ကို Network ေပၚမွာ Object သို႕မဟုတ္ Array ေတြကို Transfer လုပ္ခ်င္တဲ့အခါမွာသံုးၾကတယ္။ မ်ားေသာအားျဖင့္ေတာ့ Array ေတြကိုပဲ Serialization လုပ္ၾကတာမ်ားပါတယ္။ ဟုတ္ျပီ ဒီေတာ့ က်ေနာ္တို႕ Serialization ဆိုတာဘာလဲ ၊ wakeup  နဲ႕ sleep ဆိုတဲ့ magic methods က ဘယ္လို serialization နဲ႕စပ္ဆက္ေနတာလဲဆိုတာ အရင္ဆံုးသိေအာင္လုပ္မယ္။

Serialization Process are used to transfer Object or Array over the network. But mostly used for Array. So we need to understand what is serialization , how interconnected between serializaton and php magic methods.

Example Code

<?php

class LOL
{
public $var="I am properties";

public function hello()
{
return "I am method";
}

public function __wakeup()
{
print "__wakeup method called! \r\n";
}

}

$obj=new LOL();

$serialized_data=serialize($obj);
print $serialized_data."\r\n";
print "Before unserialized \r\n";
$obj2=unserialize($serialized_data);

?>

Object တစ္ခုကို Serialize အရင္လုပ္ၾကည့္မယ္။ ျပီးရင္ Serialized data ဆိုတာဘယ္လိုလဲသိရေအာင္ ထုတ္ၾကည့္မယ္။ unserialized လုပ္ျပီးတဲ့အခါမွာ ဘာျဖစ္သြားလဲသိရေအာင္ Before Unserialized ဆိုတာေလးတစ္ခုပါထည့္ထုတ္ၾကည့္ထားတယ္။

To know about serialize , we will serialize an object. And then we will print out this serialized data. To know about unserialize and magic method, I added __wakeup magic method into object and unserialized the serialized data.

Result အရ unserialize လုပ္ျပီးတဲ့အခ်ိန္မွာ __wakeup method ကို ေခၚတာကိုေတြ႕ရမွာျဖစ္တယ္။ ဒီေတာ့ unserialize ကိုသံုးျပီးတဲ့အခါမွာ လုပ္ေစခ်င္တဲ့အရာေတြကို __wakeup method ထဲမွာ ေရးၾကတာျဖစ္တယ္။

ဒီလိုဆို serialized Data က ဘာေတြလဲ?

As you can see in result, __wakeup magic method called after unserialize. Some application used __wakeup method to do some instuction after the unserialization process.

What is serialized data?

O:3:"LOL":1:{s:3:"var";s:15:"I am properties";}

O -> Object

3 -> Number of Class name digit

LOL -> Class name

1 -> number of properties

s -> String

Demo Video

In this demo video, We can learn Object Injection using XVWA Lab. We are injection a string to property filled with NULL. After unserialized, __wakeup method will call automatically and our string will work as PHP code by eval() function.