From e68e79cc3c479ea6d3b9d6825e5beba712ca6fd9 Mon Sep 17 00:00:00 2001
From: Rajat Gupta <35985127+rjt-gupta@users.noreply.github.com>
Date: Sat, 8 Jun 2019 22:03:08 +0530
Subject: [PATCH] Docs for PHP Object Injection Emulator  (#329)

* docs added

* vuln code info
---
 docs/source/emulators.rst | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/docs/source/emulators.rst b/docs/source/emulators.rst
index 18405d99..8fe1fb75 100644
--- a/docs/source/emulators.rst
+++ b/docs/source/emulators.rst
@@ -88,6 +88,24 @@ It emulates `PHP code injection`_ vuln. Usually, this type of vuln is found wher
 functions like eval, assert. To mimic the functionality, user input is converted to the following code
 ``<?php eval('$a = user_input'); ?>`` and then passed to phpox to get php code emulation results.
 
+PHP Object Injection Emulator
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+It emulates `PHP object injection`_ vuln. PHP allows object serialization So, this type of vulnerability occurs when not
+properly sanitized input is passed to unserialize() PHP function. Exploiting this vulnerability involves Magic methods like
+``__construct and __destruct`` which are called automatically when an object is created or destroyed and methods like
+``__sleep and __wakeup`` are called when an object is serialized or unserialized. The input serialized object is
+detected with regex pattern.
+
+::
+
+(^|;|{|})O:[0-9]+:
+
+To mimic this functionality the user input is injected to a vulnerable custom class with magic methods and then it
+is passed to php sandbox to get the injection results.
+
+**Important Note:** You will need to expose the vulnerable code to the attacker using your own suitable method. The
+default vulnerable code is `here`_. But you can always add your own custom class if needed.
+
 CRLF Emulator
 ~~~~~~~~~~~~~
 It emulates `CRLF`_ vuln. The attack is detected using ``\r\n`` pattern in the input. The parameter which looks suspicious
@@ -100,5 +118,7 @@ is injected as a header with parameter name as header name and param value as he
 .. _SQL injection: https://en.wikipedia.org/wiki/SQL_injection
 .. _Command Execution: https://www.owasp.org/index.php/Command_Injection
 .. _PHP Code Injection: https://www.owasp.org/index.php/Code_Injection
+.. _PHP object injection: https://www.owasp.org/index.php/PHP_Object_Injection
 .. _CRLF: https://www.owasp.org/index.php/CRLF_Injection
 .. _manual: https://github.com/client9/libinjection/wiki/doc-sqli-python
+.. _here: https://github.com/mushorg/tanner/blob/8ce13d1f7d4423ddaf0e7910781199be9b90ce40/tanner/emulators/php_object_injection.py#L16