PHP Serialization Pollution Attack

Written by AbiusX on 02/10/2012. Posted in Computer, English, Security

PHP Serialization has a fatal flaw which allows for pollution of the scope and global context of an application, as well as running arbitrary code in some scenarios if sources of taint are allowed in. It is a very high impact attack but requires in-depth evaluation criteria and careful inspection to be caught.
I have prepared a lab to explore and try this attack, available at:

PHP Serialization Pollution Lab

Give it a try and let me know what you think. I suggest you do a lot of debugging on the code and master its exact running flow. Don't forget that the source code of that page is available at:

https://abiusx.com/lab/hacking/serialize.src.php

I'm gonna describe this with details in a much later date.

Tags: Challenge, Lab, PHP Serialize, PHP Serialize Security, PHP Unserialize, Serialization security, Serialize Flaw, Serialize Security

Trackback from your site.

Comments (4)

Hessam

31/10/2012 at 2:21 pm | #

My solution :
we send this serialized data to overwrite sessions through the __destruct() function:

O:14:”PasswordSetter”:2:{s:8:”username”;s:5:”admin”;s:8:”password”;s:4:”1337″;}

Afterward we can login with “admin” username and “1337” password.

Reply
masood

02/11/2013 at 4:49 pm | #

please fix this page :

PHP Serialization Pollution Lab(404 NOT found ERROR)

Reply
- AbiusX
  
  15/11/2013 at 9:17 pm | #
  
  Apparently because of the new website structure I can’t :D It poses a security risk!
  
  Reply
abhiyall

12/09/2014 at 7:12 am | #

can u please share the source

Reply

Comments (4)

Leave a comment