What is PHP Injection?
A PHP object injection is an application-level vulnerability that can enable threat actors to perform malicious attacks like SQL injection, path traversal, code injection, and application denial of service (DoS).
There are three main types of PHP injection:
- PHP Object Injection, in which attackers pass malicious input to the PHP unserialize function, causing it to be executed on the server.
- Remote Code Execution (RCE), in which threat actors upload a file with malicious PHP scripts to your server.
- SQL Injection, in which attackers exploit vulnerable PHP code that accepts input for a back-end database without sanitizing them.
Types of PHP Vulnerabilities
PHP Object Injection
A PHP object vulnerability occurs when developers fail to sanitize user-supplied input before it is passed to the unserialize function. Because PHP allows the serialization of objects, threat actors can pass malicious serialized strings, resulting in an injection of arbitrary PHP objects into the application.
For threat actors to inject PHP objects, several conditions are required:
- Vulnerable unserialize function that does not sanitize inputs properly.
- The application uses PHP magic methods, like __destruct or __wakeup. These can be used to carry out the attack or to start a Property Oriented Programming (POP) chain—chaining together existing code elements for malicious intent.
- Classes implementing magic methods must be declared when the vulnerable unserialize function is called, or object autoloading must be enabled.
Remote Code Execution (RCE)
RCE happens when a threat actor uploads code into your website and executes it. Typically, the source of the issue is a PHP bug that accepts user input and then evaluates it as PHP code. For example, threat actors can exploit a RCE vulnerability to create a file that contains a malicious script, designed to let the actor gain access to the target website.
SQL Injection
This type of attack exploits PHP code that accepts inputs for a back end database without sanitizing them. This allows a threat actor to send malicious instructions to the database. The instructions are then executed by the database. Typically, SQL injection vulnerabilities are a result of a development error. For example, a developer may take input from a website visitor and pass it to the database without first checking it for malicious code.
A successful SQL injection can provide a threat actor with access to sensitive data, and may allow threat actors to create and add new data into your database. This data may contain malware, or be used to add malicious pages or elements to a website. In some cases attackers may be able to create an administrator account, which will give them persistent access to the database and website.
PHP Injection Example
PHP injections are often carried out by exploiting the PHP eval function. This function executes strings as PHP code, and is commonly used for debugging. If the eval function exists in a production web application, it can lead to injection attacks.
Take the following statement, which echoes a parameter to the browser:
When this line is executed, the PHP interpreter will evaluate the text in the product_name URL parameter. The expected value is something like this:
However, an attacker can add PHP code to the parameter, causing this code to be executed as part of the eval expression:
If user inputs are not sanitized properly, this causes PHP to echo the product name (kitchen_towels), but then also execute the phpinfo function. This gives the attacker insights into system internals which they can use to plan an attack – such as PHP version, operating system, etc.
A more severe outcome is an injection of the system function, which can run operating system commands. This is effectively a command injection attack. For example, the attacker can add the Linux command rm -r to delete all content in a directory on the server.
This will only be successful if the system function is enabled in interpreter settings.
PHP Injection Prevention
Sanitize User Input in PHP 5.5 and Lower
If you’re using an older version of PHP (5.5 and lower, which is common in shared hosting services), it is best to use the function mysql_real_escape_string to handle user inputs. This function removes special characters from a string provided by a user.
For example, any string with a single quote, for example the text “I’m hungry”, can be used to manipulate the database query and perform SQL injection. The escape string function escapes the quote like this: “I\’m hungry”, which mitigates the attack and prevents query manipulation.
However, in PHP 7, this method does not exist, and you will need to use prepared statements.
Use Prepared Statements in PHP 7
Prepared statements are a safer way to pre-process database queries. Instead of sending the original query to the database, the database first gets notified about the structure of the query, and user information is passed as parameterized input.
The advantage of this approach is that it allows the database to insert inputs into the previously submitted query structure, without allowing attackers to manipulate the structure and change execution context. Inputs, including any malicious payloads, are neutralized throughout the process.
Prepared statements are a very effective defensive measure for SQL injection, because there is no need to individually escape parameter values, and anticipate new protocols, commands or characters that may be dangerous in the future. As long as the template used to create the statement is not itself injected by the attacker, there is no way to perform SQL injection.
There are two additional main advantages to prepared statements compared to executing SQL statements directly. Prepared statements reduce parsing time, because the query is prepared only once, even if the statement is executed multiple times. In addition, When bound parameters are used, they only need to be sent once, reducing bandwidth between client and server.
Application Security with Imperva
Imperva is a comprehensive application security solution that can help protect your applications from PHP injection, even if they have underlying vulnerabilities. Beyond PHP injection protection, Imperva protects applications, APIs, and microservices:
Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.
Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.
API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.
Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.
DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.
Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.
Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.
