Practical PHP Object Injection

Presented at Kiwicon 9: Cyberwar Is Hell (2015), Dec. 11, 2015, 4:15 p.m. (30 minutes)

While many in infosec may have heard of object injection, not a lot of people have experience exploiting it. This talk will examine the state of PHP object injection in widely used PHP libraries at present; which libraries are vulnerable, and which libraries have useful classes that let you turn that unserialize() into remote code execution. While not a new class of vulnerability, object injection is not covered anywhere near as much as typical web application vulnerability classes, but can have severe consequences when successfully exploited. The talk will kick off with some background theory, and progress through the process of finding object injection, building weaponised POP chains, and utilizing those POP chains for successful object injection exploitation in some widely used PHP libraries today.

Presenters:

• Brendan Jamieson / hyprwired   as hyprwired
  hyprwired (aka Brendan Jamieson) is a security consultant for Insomnia Security, based out of Wellington. He is active in the .nz infosec community, having spoken at Wellington's ISIG and been involved in previous Kiwicons; as a speaker, trainer, and event organiser [of last year's Hamiltr0n CTF (and this year's sequel)].

Links:

• https://2015.kiwicon.org/the-con/talks/#e207

Similar Presentations:

• DEF CON 23 (2015) / Hacking SQL Injection for Remote Code Execution on a LAMP stack
• Black Hat USA 2011 / WORKSHOP - The Art of Exploiting Lesser Known Injection Flaws
• AppSec USA 2016 / Lightning Talk - Automated Gadget Chain Generation for Object Injections