PHP Object Injection

PHP Object Injection is a vulnerability that occurs when user-controlled input is passed to PHP's unserialize() function. Attackers can inject serialized PHP objects that, when deserialized, trigger magic methods to execute malicious code or manipulate application state.

How It Works

PHP's serialization format allows representing objects as strings. When unserialize() reconstructs these objects, it automatically calls magic methods like __wakeup(), __destruct(), or __toString(). If a suitable class exists in scope, attackers can exploit these methods.

Vulnerable Code Example

// Vulnerable: unserializing user input
$data = unserialize($_COOKIE['session']);

// Exploitable class in application
class FileHandler {
    public $filename;
    public function __destruct() {
        unlink($this->filename);  // Deletes file on destruction
    }
}

// Attacker payload (URL-encoded):
// O:11:"FileHandler":1:{s:8:"filename";s:11:"/etc/passwd";}

Common Magic Methods

__wakeup(): Called when object is unserialized
__destruct(): Called when object is destroyed
__toString(): Called when object is used as string
__call(): Called for inaccessible methods

Exploitation Goals

Remote code execution via gadget chains
Arbitrary file deletion or modification
SQL injection through object properties
Authentication bypass by manipulating session objects

PHP Object Injection

How It Works

Vulnerable Code Example

Common Magic Methods

Exploitation Goals

See Also