Serialization is the process of converting data into a format suitable for transport, often in the form of a byte stream. Deserialization is the opposite process, it transforms the data that was provided into an object. An insecure deserialization vulnerability occurs when untrusted data is being deserialized. The deserialization vulnerability can result in many different consequences, such as arbitrary reading of files, improper access control, remote code execution, and much more.Imagine the following PHP code:
This PHP code takes the user's input from the GET parameter
input, base64 decodes it, and then deserializes its value.
Since we are able to control the data that is being deserialized by the server. We are able to interact with the class
filehandler. This class contains the method
__wakeup which is a magic PHP method that is being executed everytime an object is recreated.
We can use this magic method to read arbitrary files on the target system with a payload such as:
Let's quickly dig into the payload and explain it's structure:
Orefers to a class that the object will be using. In this case it's the
filehandlerwhich has a byte length of 11 bytes.
:1which comes after the class name means that only one argument will be passed to the object.
Finally, we pass the argument to the
s:4indicates that the name of the argument is a string (s) with a byte length of four and the argument variable name is
file. The semicolon that comes after our argument represents the value of our passed argument which we have set to
As you can see in the payload we sent above, we were able to receive the content of the file
/etc/passwd. This is because the magic method
__wakeup was executed during deserialization.
The code sees the
file argument in our given payload and uses its value (
/etc/passwd) in the
get_file_contents(...) function that exposes the file contents.
You can test your practical skills in our official challenges now that you have learned the basics of how to exploit an insecure deserialization vulnerability.