24 Jul

WordPress Plugin for Use in Testing for PHP Object Injection

Last month we introduced something new to our service, we are proactively monitoring changes to the WordPress plugins to see if they include some easy to spot vulnerabilities in them. We currently are restricting that to the most serious vulnerabilities due to amount of time it requires to do even that (if we had more customers we could justify expanding that further). One of the types of vulnerabilities we are monitoring for are PHP object injection vulnerabilities, as that is something that we have seen hackers exploiting on a fairly wide scale in the past. That has lead to us having to review more possible instances of that type of vulnerability and that in turn lead to us coming up with a simpler method to test if there is in fact an exploitable vulnerability. Seeing as this type of vulnerability looks to be under-noticed and our solution is so simple, we decide to share it.

The first part is a plugin, which can be downloaded here and then installed in the root plugin directory, /wp-content/plugins/.

The code in that is the following (we said it was simple):

<?php
/*
Plugin Name: PHP Object Injection Test
Plugin URI: https://www.pluginvulnerabilities.com/
Description: Allows for easy testing of PHP object injection vulnerabilities. Displays message "PHP object injection has occurred." when "O:20:"PHP_Object_Injection":0:{}" is unserialized.
Version: 1.0
Author: White Fir Design
Author URI: https://www.pluginvulnerabilities.com/
License: GPLv2

Copyright 2017 White Fir Design

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; only version 2 of the License is applicable.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/

class PHP_Object_Injection {
   function __wakeup() {
		exit('PHP object injection has occurred.');
   }
}

?>

The first part of the plugin’s code is the file headers needed to allow the file to be recognized as a plugin and then it defines a class “php_object_injection”. When the plugin is active and the PHP object

O:20:"PHP_Object_Injection":0:{}

is unserialized the  __wakeup() function in the class will run. As the code is written that will cause the script to stop running and the message “PHP object injection has occurred.” to be shown, indicating that PHP object has occurred. You can change what the __wakeup() function does to something else, say have it log certain data at that point, depending on your needs.

If you find a PHP objection vulnerability in a WordPress plugin (or any other vulnerability in one) we would appreciate if you let us know that so that we can add it to our data set.

Leave a Reply

Your email address will not be published. Required fields are marked *