PHP Object Injection Slinger
This is an extension for Burp Suite Professional, designed to help you scan for PHP Object Injection vulnerabilities on popular PHP Frameworks and some of their dependencies. It will send a serialized PHP Object to the web application designed to force the web server to perform a DNS lookup to a Burp Collaborator Callback Host.
Feedback, testing and issue reporting is welcome.
The payloads for this extension are all from the excellent Ambionics project
PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
You will need it for further exploiting any vulnerabilities found by this extension.
OSX Mojave 10.14.6
java version "11.0.5" 2019-10-15 LTS
Build the extension on OSX:
- After installing
Homebrewrun on a terminal
brew install gradle
- Clone the repository
git clone https://github.com/ricardojba/poi-slinger.git
- Inside the cloned repository directory, build the Jar with
- Jar location
Load the jar manually, in Burp Suite Pro, use
Extender -> Extensions -> Add to load the jar file
You may find the built
Jar on the
bin directory of this repository.
You can also install the extension in Burp Suite Pro, via
Extender -> BApp Store > PHP Object Injection Slinger
On the Proxy/Target/Intruder/Repeater Tab, right click on the desired HTTP Request and click
Send To POI Slinger. This will also highlight the HTTP Request and set the comment
Sent to POI Slinger.
You can watch the debug messages on the extension's output pane under
Extender->Extensions->PHP Object Injection Slinger
Check the PHP file on the
test-extension directory and the instructions contained in it, on how to host the file and use it to test this extension.