PHP Object Injection

PHP Object Injection or POI is a vulnerability which allows an attacker to modify a PHP object in such a way that the application flow changes, this in turn results in different outcomes such as remote code execution, directory traversal, and so on. The main culprit responsible for this is user-supplied input getting passed to an unserialize() function call which allows the supplied code to be executed. The situation is in fact so dire that the official PHP documentation for unserialize() mentions the following warning:

Note

Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. ...

Get Mastering Modern Web Penetration Testing now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Modern Web Penetration Testing by Prakhar Prasad

PHP Object Injection

Note

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly