From 834d954dbc8722f99fb7f702c68a883d928d7bcb Mon Sep 17 00:00:00 2001
From: rjt-gupta <rajat.gupta99924@gmail.com>
Date: Sat, 8 Jun 2019 14:52:22 +0530
Subject: [PATCH 1/2] docs added

---
 docs/source/emulators.rst | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/source/emulators.rst b/docs/source/emulators.rst
index 18405d99..6886be45 100644
--- a/docs/source/emulators.rst
+++ b/docs/source/emulators.rst
@@ -88,6 +88,21 @@ It emulates `PHP code injection`_ vuln. Usually, this type of vuln is found wher
 functions like eval, assert. To mimic the functionality, user input is converted to the following code
 ``<?php eval('$a = user_input'); ?>`` and then passed to phpox to get php code emulation results.
 
+PHP Object Injection Emulator
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+It emulates `PHP object injection`_ vuln. PHP allows object serialization So, this type of vulnerability occurs when not
+properly sanitized input is passed to unserialize() PHP function. Exploiting this vulnerability involves Magic methods like
+``__destruct or __construct`` which are called automatically when an object is created or destroyed and methods like
+``__sleep or __wakeup`` are called when an object is serialized and unserialized. The input serialized object is
+detected with regex pattern.
+
+::
+
+(^|;|{|})O:[0-9]+:
+
+To mimic this functionality the user input is injected to a vulnerable custom class with magic methods and then it
+is passed to php sandbox to get the injection results.
+
 CRLF Emulator
 ~~~~~~~~~~~~~
 It emulates `CRLF`_ vuln. The attack is detected using ``\r\n`` pattern in the input. The parameter which looks suspicious
@@ -100,5 +115,6 @@ is injected as a header with parameter name as header name and param value as he
 .. _SQL injection: https://en.wikipedia.org/wiki/SQL_injection
 .. _Command Execution: https://www.owasp.org/index.php/Command_Injection
 .. _PHP Code Injection: https://www.owasp.org/index.php/Code_Injection
+.. _PHP object injection: https://www.owasp.org/index.php/PHP_Object_Injection
 .. _CRLF: https://www.owasp.org/index.php/CRLF_Injection
 .. _manual: https://github.com/client9/libinjection/wiki/doc-sqli-python

From 90bc55eab745e62d24aae41277b90e90308f20e5 Mon Sep 17 00:00:00 2001
From: rjt-gupta <rajat.gupta99924@gmail.com>
Date: Sat, 8 Jun 2019 17:43:46 +0530
Subject: [PATCH 2/2] vuln code info

---
 docs/source/emulators.rst | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/docs/source/emulators.rst b/docs/source/emulators.rst
index 6886be45..8fe1fb75 100644
--- a/docs/source/emulators.rst
+++ b/docs/source/emulators.rst
@@ -92,8 +92,8 @@ PHP Object Injection Emulator
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 It emulates `PHP object injection`_ vuln. PHP allows object serialization So, this type of vulnerability occurs when not
 properly sanitized input is passed to unserialize() PHP function. Exploiting this vulnerability involves Magic methods like
-``__destruct or __construct`` which are called automatically when an object is created or destroyed and methods like
-``__sleep or __wakeup`` are called when an object is serialized and unserialized. The input serialized object is
+``__construct and __destruct`` which are called automatically when an object is created or destroyed and methods like
+``__sleep and __wakeup`` are called when an object is serialized or unserialized. The input serialized object is
 detected with regex pattern.
 
 ::
@@ -103,6 +103,9 @@ detected with regex pattern.
 To mimic this functionality the user input is injected to a vulnerable custom class with magic methods and then it
 is passed to php sandbox to get the injection results.
 
+**Important Note:** You will need to expose the vulnerable code to the attacker using your own suitable method. The
+default vulnerable code is `here`_. But you can always add your own custom class if needed.
+
 CRLF Emulator
 ~~~~~~~~~~~~~
 It emulates `CRLF`_ vuln. The attack is detected using ``\r\n`` pattern in the input. The parameter which looks suspicious
@@ -118,3 +121,4 @@ is injected as a header with parameter name as header name and param value as he
 .. _PHP object injection: https://www.owasp.org/index.php/PHP_Object_Injection
 .. _CRLF: https://www.owasp.org/index.php/CRLF_Injection
 .. _manual: https://github.com/client9/libinjection/wiki/doc-sqli-python
+.. _here: https://github.com/mushorg/tanner/blob/8ce13d1f7d4423ddaf0e7910781199be9b90ce40/tanner/emulators/php_object_injection.py#L16