PHP Serialization / Object Injection Vulnerability Part 1 : Basics of PHP Serialization and Magic Function

The PHP Object Injection Vulnerability allows an attacker to modify a PHP object in a way that it changes the application flow, which leads to Remote code execution, Path traversal, DOS attack etc.

The serialization vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass crafted serialized strings to a vulnerable unserialize() call, which resulting in an arbitrary PHP object(s) injection into the application scope.

Now lets look some basic concept behind Serialization/unserialization :

 PHP Serialization :

The PHP allows Object Serialization, means with serialization process we can store php objects as string for later use.  For object serialization serialize() function is used, and it returns the string representation of php object. For example :

Filename : srl1.php
  class MyApp {
    public $name = 'Bruce Wayne';
    public $age = 45;

  $obj = new MyApp;
  echo serialize($obj);
At above there is a php class 'MyApp' which contains 2 class variables name and age, 'obj' is an object of class 'MyApp' and the last line will print serialized string of object 'obj'. The output is
 O:5:"MyApp":2:{s:4:"name";s:11:"Bruce Wayne";s:3:"age";i:45;}
As we can see the above represent the serialized version of the object 'obj'. Some of the details are :
  • O:5:"MyApp" : The first 'O' represents the class, 3 5 represents the length of characters of class name and 'MyApp' is name of class.
  • :2: '' represents the number of class variables. 
  • s:4:"name";,  where 's' represents the string, 4 is  number character and then the value itself. 
  • Similarly  s:11:"Bruce Wayne"; and s:3:"age"; is same as above.
  • i:45, where i represents the integer value and 45 is its value.
The table below shows the various serialization formats :

After that for deserialization of the data unserialize() function is used. Now lets try to unserialize the above output.

Filename : srl2.php
  class MyApp {
    public $name;
    public $age;

    public function print() {
      echo 'Name : ' . $this->name . '<br/>';
      echo 'Age : ' . $this->age;

  $data = 'O:5:"MyApp":2:{s:4:"name";s:11:"Bruce Wayne";s:3:"age";i:45;}';
  $obj = unserialize($data);
At above code the stored object data is deserialized with unserializ() function. The Output is :
 Name : Bruce Wayne
 Age : 45

PHP Magic Functions :

In PHP, magic functions are special built-in functions, which can automatically get called when certain events occured, and this perticular functionality of Magic functions can be used to exploit the Object Injection vulnerability. The name of magic functions are starts with double underscore sign "__", for example "construct", "__destruct" etc. Some of the magic functions are :

__construct() : It executes when a new object is created in php. The construct function is basically used for initialization process of object.

__destruct() : The destruct function is called when there is no other reference to a particular object, or during the shutdown sequence of program.

__sleep() : It executes just before the serialization.

__wakeup() : It executes just after the deserialization.

Now lets see an example of above magic functions.

Filename : magic.php
  class MyApp {
    public $name = "Bruce Wayne";
    public $age = 45;

    public function printMe() {
      echo "Name: " . $this->name . "<br/>";
      echo "Age: " . $this->age . "<br/>";

    public function __construct() {
      echo "[*] __construct() is Called.<br/>";

    public function __destruct() {
      echo "[*] __destruct() is Called.<br/>";

    public function __wakeup() {
      echo "[*] __wakeup() is Called.<br/>";


  $obj = new MyApp; // object is created, 

  $data = serialize($obj);

  $newObj = unserialize($data);

Output of the above code is :
 [*] __construct() is Called.
 [*] __wakeup() is Called.
 Name: Bruce Wayne
 Age: 45
 [*] __destruct() is Called.
 [*] __destruct() is Called.
Now in object injection attack , the __destruct() function is used.

You can download above php codes from here : Github_link

Conclusion :

In this post we learnt the use of serialization function and also the use of magic functions. Now in next post we are going to look about exploitation method of PHP Object Injection.

PHP Object Injection Part 2 : Exploitation Technique