Insecure Deserialization

Serialization is the process of converting data into a format suitable for transport, often in the form of a byte stream. Deserialization is the opposite process, it transforms the data that was provided into an object. An insecure deserialization vulnerability occurs when untrusted data is being deserialized. The deserialization vulnerability can result in many different consequences, such as arbitrary reading of files, improper access control, remote code execution, and much more.

Imagine the following PHP code:

This PHP code takes the user's input from the GET parameter input, base64 decodes it, and then deserializes its value.

Since we are able to control the data that is being deserialized by the server. We are able to interact with the class filehandler. This class contains the method __wakeup which is a magic PHP method that is being executed everytime an object is recreated.
We can use this magic method to read arbitrary files on the target system with a payload such as:
O:11:"filehandler":1:{s:4:"file";s:11:"/etc/passwd";}

Let's quickly dig into the payload and explain it's structure:

  • O:11

    The O refers to a class that the object will be using. In this case it's the filehandler which has a byte length of 11 bytes.

  • :1

    The :1 which comes after the class name means that only one argument will be passed to the object.

  • s:4:"file";s:11:"/etc/passwd"

    Finally, we pass the argument to the filehandler object. The s:4 indicates that the name of the argument is a string (s) with a byte length of four and the argument variable name is file. The semicolon that comes after our argument represents the value of our passed argument which we have set to /etc/passwd.

As you can see in the payload we sent above, we were able to receive the content of the file /etc/passwd. This is because the magic method __wakeup was executed during deserialization.

The code sees the file argument in our given payload and uses its value (/etc/passwd) in the get_file_contents(...) function that exposes the file contents.

Trainings

You can test your practical skills in our official challenges now that you have learned the basics of how to exploit an insecure deserialization vulnerability.