PHP Object Injection & Serialization Vulnerabilities cover image

PHP Object Injection & Serialization Vulnerabilities

Mukarram Khalid • November 27, 2016


PHP Object injection vulnerabilities can be fairly hard to exploit in a black box penetration testing scenario. In this tutorial, I'm gonna show you guys how serialization vulnerabilities actually work in PHP. I'm going to cover the following points in this video tutorial.


In this tutorial, I'm going to cover the basics of PHP Objection Injection and Serialization vulnerabilities using some test applications.

Serialization Vulnerabilities in Other Languages

Serialization vulnerabilities are not just native to PHP. These vulnerabilities exist in different languages under different names. For example, we've heard a lot about Java deserialization vulnerabilities which can lead to code execution. Similar vulnerabilities exist in Python module pickle which can lead to code execution while unpickling the data. So, make sure you never pass untrusted data to unserialization functions.

PHP Classes & Objects

In object-oriented programming, a class is an extensible code template for creating objects, providing initial values for state properties and implementing different behaviors (methods). This is what a class looks like in PHP.


class Test
    public $name = 'makman';

$object = new Test;

Magic Methods

Magic methods are built-in functions in PHP which allow you to react when certain events trigger, which can be used to exploit PHP Object Injection Vulnerabilities because in most cases, these methods get called automatically. For example, __destruct() will be called as soon as there are no other references to a particular object during the shutdown sequence. You can read more about magic methods on the official documentation of PHP.

Example App 1

To show you guys how to exploit PHP Object Injection, I've created a test application.


class App
    public $logFile = 'logs.txt';
    public $logData = 'test';

    public function checkSerives()
        echo '[+] Checking Services.<br>';
        $this->logData = 'Success';

    public function __destruct()
        file_put_contents(__DIR__ . '/' . $this->logFile, $this->logData);
        echo '[+] Logs written to log file.<br>';

$userInput = $_GET['data'] ?? '';
$someData = unserialize($userInput);

$app = new App;

For the exploitation part, please refer to the video.

Example App 2

For the second example, I'm going to use the Xtreme Vulnerable Web Application (XVWA) created by s4n7h0.

Closing Notes

Serialization functions should be used with great care. In most cases, you can use JSON encoding instead of serialization, which is comparatively easier to handle.