Skip to content

PHP Unserialize Check - Burp Scanner Extension

Notifications You must be signed in to change notification settings

PortSwigger/php-object-injection-check

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PHP Unserialize Check

This Burp Scanner Extension tries to find PHP Object Injection Vulnerabilities.

It passes a serialized PDO object to the found injection points. If PHP tries to unserialize this object a fatal exception is thrown triggered in the object's __wakeup() method (ext/pdo/pdo_dbh.c):

static PHP_METHOD(PDO, __wakeup)
{
zend_throw_exception_ex(php_pdo_get_exception(), 0, "You cannot serialize or unserialize PDO instances");
}

If display_errors is disabled, this will result in a 500 Internal Server Error. If this is the case the check will try to unserialize a stdClass object and an empty array. If either one returns a 200 OK, it is assumed that the code is vulnerable to PHP Object Injection.

If display_errors is enabled, the fatal exception is returned to the user, making it easier to detected the vulnerability.

Based on http://blog.portswigger.net/2012/12/sample-burp-suite-extension-custom_20.html

alt tag

About

PHP Unserialize Check - Burp Scanner Extension

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Java 99.8%
  • HTML 0.2%