This repository provides a demonstration of PHP Object Injection vulnerability for educational purposes. It is designed to show how serialized objects can be exploited when user input is not sanitized properly.
- PHP installed on your machine.
- A local server like XAMPP or WAMP.
- Installation of Server: If you haven't set up XAMPP or WAMP, install one of them first.
- Setting up the Application:
- Clone this repository or download the
php-object-injection-app
folder. - Move the
php-object-injection-app
folder to thehtdocs
directory of your XAMPP or WAMP installation.
- Clone this repository or download the
-
Start Your Local Server: Launch XAMPP or WAMP and start the Apache service.
-
Access the Application: Open your browser and navigate to:
http://localhost/php-object-injection-app/index.php
You should see a form prompting you to enter a serialized payload.
-
Generating the Payload:
- Navigate to the
generate_payload.php
file in your browser by visiting:http://localhost/php-object-injection-app/generate_payload.php
- This will display the serialized payload which you can then use.
- Navigate to the
-
Using the Payload with
curl
: You can send the payload using thecurl
command as follows:curl -X POST -d "payload=O:15:\"VulnerableClass\":1:{s:7:\"command\";s:21:\"echo \"Hello, World!\";\";}" http://localhost/php-object-injection-app/index.php
-
Manually Inputting the Payload: Alternatively, you can copy the generated payload from the
generate_payload.php
output and paste it into the form on theindex.php
page, then submit.
This application is intentionally vulnerable and is designed for learning and educational purpose only. It serves to highlight the risks of PHP Object Injection.
- Do NOT host this application on a public server.
- Do NOT use patterns from this application in any real-world application.
- Always sanitize and validate user input.
- Be cautious of using
unserialize()
especially with user-supplied data.