Skip to content

Commit

Permalink
Docs for PHP Object Injection Emulator (#329)
Browse files Browse the repository at this point in the history 
* docs added

* vuln code info
  • Loading branch information
@rjt-gupta @rnehra01
rjt-gupta authored and rnehra01 committed Jun 8, 2019
1 parent 8ce13d1 commit e68e79c
Showing 1 changed file with 20 additions and 0 deletions.
20 changes: 20 additions & 0 deletions docs/source/emulators.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,24 @@ It emulates `PHP code injection`_ vuln. Usually, this type of vuln is found wher
functions like eval, assert. To mimic the functionality, user input is converted to the following code
``<?php eval('$a = user_input'); ?>`` and then passed to phpox to get php code emulation results.

PHP Object Injection Emulator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It emulates `PHP object injection`_ vuln. PHP allows object serialization So, this type of vulnerability occurs when not
properly sanitized input is passed to unserialize() PHP function. Exploiting this vulnerability involves Magic methods like
``__construct and __destruct`` which are called automatically when an object is created or destroyed and methods like
``__sleep and __wakeup`` are called when an object is serialized or unserialized. The input serialized object is
detected with regex pattern.

::

(^|;|{|})O:[0-9]+:
To mimic this functionality the user input is injected to a vulnerable custom class with magic methods and then it
is passed to php sandbox to get the injection results.

**Important Note:** You will need to expose the vulnerable code to the attacker using your own suitable method. The
default vulnerable code is `here`_. But you can always add your own custom class if needed.

CRLF Emulator
~~~~~~~~~~~~~
It emulates `CRLF`_ vuln. The attack is detected using ``\r\n`` pattern in the input. The parameter which looks suspicious
Expand All @@ -100,5 +118,7 @@ is injected as a header with parameter name as header name and param value as he
.. _SQL injection: https://en.wikipedia.org/wiki/SQL_injection
.. _Command Execution: https://www.owasp.org/index.php/Command_Injection
.. _PHP Code Injection: https://www.owasp.org/index.php/Code_Injection
.. _PHP object injection: https://www.owasp.org/index.php/PHP_Object_Injection
.. _CRLF: https://www.owasp.org/index.php/CRLF_Injection
.. _manual: https://github.com/client9/libinjection/wiki/doc-sqli-python
.. _here: https://github.com/mushorg/tanner/blob/8ce13d1f7d4423ddaf0e7910781199be9b90ce40/tanner/emulators/php_object_injection.py#L16

0 comments on commit e68e79c

Please # to comment.