Php Sql Injection Cheat Sheet



The Ultimate SQL Injection Cheat Sheet SQL Injection is the most commonly found vulnerability in web applications according to Open Web Application Security Project (OWASP). Cheatsheet to exploit and learn SQL Injection manually. View On GitHub; This project is maintained by AdmiralGaust. First try to figure out the vulnerable parameter; NOTE: If it’s a GET request don’t forget to url encode the characters.

  1. Https://www.owasp.org/index.php/sql_injection_prevention_cheat_sheet
  2. Sqlite Injection Cheat Sheet
  3. Oracle Sql Injection Cheat Sheet
  4. Pentestmonkey Sql Injection Cheat Sheet

Description of the vulnerability

PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.

The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.

In order to successfully exploit a PHP Object Injection vulnerability two conditions must be met:

  • The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a “POP chain”.
  • All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes.
Php Sql Injection Cheat Sheet

Example:

Known Vulnerable Software

Pentestmonkey cheat sheet
SoftwareVersionReference
WordPress3.6.1https://nvd.nist.gov/vuln/detail/CVE-2013-4338
Magento1.9.0.1https://magento.com/security/patches/supee-10415
Joomla3.0.3https://packetstormsecurity.com/files/121442/Joomla-3.0.3-PHP-Object-Injection.html
IP Board3.3.4https://www.exploit-db.com/exploits/22398/
Dotclear2.6.1https://www.cvedetails.com/cve/CVE-2014-1613/
OpenCart1.5.6.4http://karmainsecurity.com/KIS-2014-08
CubeCart5.2.0http://karmainsecurity.com/KIS-2013-02
Drupal7.34https://websec.wordpress.com/2015/01/09/drupal-7-34-admin-php-object-injection/
vBulletin5.1.0https://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-object-injection.html
Tuelap7.6-4http://karmainsecurity.com/KIS-2014-13
Moodle2.5.0http://disse.cting.org/2013/09/16/2013-09-16-moodle-2-5-0-1-badges-external-object-injection
WHMCS5.2.12http://security-geeks.blogspot.com/2013/11/whmcs-5112-php-object-injectoin.html

PHP Magic Methods

__construct()__set()__toString()
__destruct()__isset()__invoke()
__call()__unset()__set_state()
__callStatic()__sleep()__clone()
__get()__wakeup()__debugInfo()

Examples of PHP Object Injection

Mysql sql injection cheat sheet

Exploit with the __destruct method

Vulnerable code:

Payload:

Exploit with the __wakeup in the unserialize function

Vulnerable code:

Payload:

Authentication bypass - Type juggling

Vulnerable code:

Payload:

Authentication bypass - Object reference

Vulnerable code:

Payload:

Authentication bypass - Object reference

Vulnerable code:

Payload:

Others exploits

Reverse Shell

Finding and using gadgets (PHPGGC)

Https://www.owasp.org/index.php/sql_injection_prevention_cheat_sheet

Pentestmonkey sql injection cheat sheet

Sqlite Injection Cheat Sheet

PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. When encountering an unserialize on a website you don’t have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them.

Example:

Oracle Sql Injection Cheat Sheet

Thanks to

Pentestmonkey Sql Injection Cheat Sheet

This article is composed of information found on the folowing links (+ plus some minor additions). I use this article to quick observe or demonstrate situations and as a personal reference to all the infromation needed in exploiting the PHP Object Injection Vulnerability.