The Ultimate SQL Injection Cheat Sheet SQL Injection is the most commonly found vulnerability in web applications according to Open Web Application Security Project (OWASP). Cheatsheet to exploit and learn SQL Injection manually. View On GitHub; This project is maintained by AdmiralGaust. First try to figure out the vulnerable parameter; NOTE: If it’s a GET request don’t forget to url encode the characters.
- Https://www.owasp.org/index.php/sql_injection_prevention_cheat_sheet
- Sqlite Injection Cheat Sheet
- Oracle Sql Injection Cheat Sheet
- Pentestmonkey Sql Injection Cheat Sheet
Description of the vulnerability
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.
The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.
In order to successfully exploit a PHP Object Injection vulnerability two conditions must be met:
- The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a “POP chain”.
- All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes.
Example:
Known Vulnerable Software
| Software | Version | Reference |
|---|---|---|
| WordPress | 3.6.1 | https://nvd.nist.gov/vuln/detail/CVE-2013-4338 |
| Magento | 1.9.0.1 | https://magento.com/security/patches/supee-10415 |
| Joomla | 3.0.3 | https://packetstormsecurity.com/files/121442/Joomla-3.0.3-PHP-Object-Injection.html |
| IP Board | 3.3.4 | https://www.exploit-db.com/exploits/22398/ |
| Dotclear | 2.6.1 | https://www.cvedetails.com/cve/CVE-2014-1613/ |
| OpenCart | 1.5.6.4 | http://karmainsecurity.com/KIS-2014-08 |
| CubeCart | 5.2.0 | http://karmainsecurity.com/KIS-2013-02 |
| Drupal | 7.34 | https://websec.wordpress.com/2015/01/09/drupal-7-34-admin-php-object-injection/ |
| vBulletin | 5.1.0 | https://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-object-injection.html |
| Tuelap | 7.6-4 | http://karmainsecurity.com/KIS-2014-13 |
| Moodle | 2.5.0 | http://disse.cting.org/2013/09/16/2013-09-16-moodle-2-5-0-1-badges-external-object-injection |
| WHMCS | 5.2.12 | http://security-geeks.blogspot.com/2013/11/whmcs-5112-php-object-injectoin.html |
PHP Magic Methods
| __construct() | __set() | __toString() |
| __destruct() | __isset() | __invoke() |
| __call() | __unset() | __set_state() |
| __callStatic() | __sleep() | __clone() |
| __get() | __wakeup() | __debugInfo() |
Examples of PHP Object Injection
Exploit with the __destruct method
Vulnerable code:
Payload:
Exploit with the __wakeup in the unserialize function
Vulnerable code:
Payload:
Authentication bypass - Type juggling
Vulnerable code:
Payload:
Authentication bypass - Object reference
Vulnerable code:
Payload:
Authentication bypass - Object reference
Vulnerable code:
Payload:
Others exploits
Reverse Shell
Finding and using gadgets (PHPGGC)
Https://www.owasp.org/index.php/sql_injection_prevention_cheat_sheet
Sqlite Injection Cheat Sheet
PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. When encountering an unserialize on a website you don’t have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them.
Example:
Oracle Sql Injection Cheat Sheet
Thanks to
Pentestmonkey Sql Injection Cheat Sheet
This article is composed of information found on the folowing links (+ plus some minor additions). I use this article to quick observe or demonstrate situations and as a personal reference to all the infromation needed in exploiting the PHP Object Injection Vulnerability.