diff --git a/docs/source/emulators.rst b/docs/source/emulators.rst index 18405d99..8fe1fb75 100644 --- a/docs/source/emulators.rst +++ b/docs/source/emulators.rst @@ -88,6 +88,24 @@ It emulates `PHP code injection`_ vuln. Usually, this type of vuln is found wher functions like eval, assert. To mimic the functionality, user input is converted to the following code ```` and then passed to phpox to get php code emulation results. +PHP Object Injection Emulator +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +It emulates `PHP object injection`_ vuln. PHP allows object serialization So, this type of vulnerability occurs when not +properly sanitized input is passed to unserialize() PHP function. Exploiting this vulnerability involves Magic methods like +``__construct and __destruct`` which are called automatically when an object is created or destroyed and methods like +``__sleep and __wakeup`` are called when an object is serialized or unserialized. The input serialized object is +detected with regex pattern. + +:: + +(^|;|{|})O:[0-9]+: + +To mimic this functionality the user input is injected to a vulnerable custom class with magic methods and then it +is passed to php sandbox to get the injection results. + +**Important Note:** You will need to expose the vulnerable code to the attacker using your own suitable method. The +default vulnerable code is `here`_. But you can always add your own custom class if needed. + CRLF Emulator ~~~~~~~~~~~~~ It emulates `CRLF`_ vuln. The attack is detected using ``\r\n`` pattern in the input. The parameter which looks suspicious @@ -100,5 +118,7 @@ is injected as a header with parameter name as header name and param value as he .. _SQL injection: https://en.wikipedia.org/wiki/SQL_injection .. _Command Execution: https://www.owasp.org/index.php/Command_Injection .. _PHP Code Injection: https://www.owasp.org/index.php/Code_Injection +.. _PHP object injection: https://www.owasp.org/index.php/PHP_Object_Injection .. _CRLF: https://www.owasp.org/index.php/CRLF_Injection .. _manual: https://github.com/client9/libinjection/wiki/doc-sqli-python +.. _here: https://github.com/mushorg/tanner/blob/8ce13d1f7d4423ddaf0e7910781199be9b90ce40/tanner/emulators/php_object_injection.py#L16