Advanced PHP Deserialization - Phar Files

IppSec · Beginner ·🛠️ AI Tools & Apps ·6y ago

Key Takeaways

The video discusses advanced PHP deserialization techniques using Phar files, covering topics such as PHP serialization history, Phar file uploads, and prevention methods by disabling the phar stream wrapper. It also demonstrates code execution using Phar files and stream wrappers, as well as exploiting vulnerabilities using pop chains and deleting files using the unlink function.

Full Transcript

what's going on YouTube the zipsak and we'll be going into advanced PHP d civilization using fire files these are the PHP file archive files and they're going to allow us to perform DCI zation attacks even if the developer doesn't put a single on serialize call in the program if you're unfamiliar with PHP D civilization definitely check out my channel where I have a introduction to PHP D civilization attacks but if you are we can get started with a little bit of history in 1994 PHP was released and like any other scripting language especially ones meant for web and had 99 problems but for the first 15 or so years unsterilized was not one of them and that's primarily because PHP itself is not an object-oriented programming language so developers generally use objects and if they did they certainly didn't really use a lot of magic methods that may be dangerous the only really common one before 2009 where it was the destruct magic method and they normally use that to just unlink files but in 2009 this is when frameworks started becoming a thing and made PHP and like object capable programming language and then doing a lot of dangerous functionality around these magic methods and this is when Stefan SR noticed this and did the talk a paper called shocking news and PHP exploitation which served as my introduction into pop chains that is a property oriented programming it's much like rock chains and binary programs except instead of abusing returns you're abusing the fact that you can set the property on a bunch of objects to achieve a goal and then I think serialization kind of just went silent at least it did for me until a bunch of Java stuff happened I think that was in like 2015 2016 but we'll just ignore that for now because that is Java not PHP in 2018 there was a talk by Sam Thomas called it's a PHP uncivilized asian vulnerability Jim but not as we know it and this was a really good talk because this was doing PHP D civilization without an uncivilized call using farah files and that is the PHP file archive the downside to this is you have to upload a file and I think a lot of people kind of asked the well if I gotta put a file on the server anyways why is this far format really that useful because I could just upload malicious files anyways but but when you upload a malicious file you have to depend on it having like a PHP extension there being a lfi that uses and include or other things and if you wanted to do object injection well you need uncie relies so this fara file may serve as an answer to both of these questions you can think of it as a magical serialize zipped format because it doesn't depend on any extension so you can set anything you want and additionally the Bing getting of the file doesn't depend on any magic bytes so you can have a legitimate JPEG that displays edges JPEG gets the correct file dimensions as a JPEG and even will open up in a file view and display the JPEG and not throw any errors about your malicious code being in there you can trigger the code by using a for our stream wrapper with any file operation within PHP such as like file exists on link md5sum etc the main difference between doing ADC ization attack with this and just a normal on serialize call is the initial pop chain must start with a wake up or destruct other than that it's pretty much standard to serialization the only way I really know to prevent it is to disable the first dream wrapper altogether this may break your like auto update portion of the application but it is probably the safest way and I have this cabin in there because there may be other ways that may be better this is just the way I do it so this was a lot of presentation so let's just go into what you probably want and that is the demo portion I didn't want to waste a lot of your time watch me write a image uploader application so I did that code before the video and we can go over it real quick it's super simple the first thing is a PHP file which is just a web form it's going to send a post request to upload dot PHP and it's going to be a file upload request and the variable name is going to be image up load so let's take a look at upload dot PHP and we're going to have a simple PHP uploader and starts off with setting the allowed extensions to be gif or JPEG then we're setting a bunch of information about the file F name is going to be the file name size the size temp this is created by PHP and this is going to just be a temporary space within I think slash temp slash PHP random string I think is what it's called and then the extension all we're doing is splitting the file name on a period and then taking the very last entry so that'll get us the extension we also call string to lower so you don't have to worry about the casing then upload path we're just going to put it in the uploads directory and then base name is just taking the file name so if you give it a full path it will only take the filename so right here we have is this a submission yes it is so we're checking the array if the file extension is in the array then this will just skip and if we don't have gift for jpg then Oh tell us file extension is not allowed and died next we're checking if the file exists if it doesn't exist let's move it from the temp directory into the upload path and tell the user we moved it and then if it does exist we'll just say we can't overwrite the file and then died so this script itself isn't going to be vulnerable to the fire file but I just created this as a way to get the file on the server the next thing we have is the please subscribe directory which is all my tax stuff we'll go over the gen far and this is just going to create the fire file and I got this out of that presentation from Sam Thomas the blackhat one in 2018 so this is just going to be a test class we're creating a far archive with this command we need to set the stub as PHP Hall compiler to get code execution and here is where we do the serialization if we wanted to put an image or text before this we can put anything we want here so that's we're gonna insert the image a little bit later and then this just to comply with for our standards we have to just add a file name to it so this really doesn't matter just make sure you have something there so when you run this command it's going to create the thing and what did I type I don't know what I typed why it's saying save but if we run PHP it's going to air because in order to create the fire file we have to change PHP to not be in read-only so to do that we can do etsy PHP 7.3 seoi PHP ini and set this fareed only to off and this will allow us to create the archive the server does not have to have that setting set that is only to generate the archive so now we got test dot fur we can xxd it and we can see what the thing looks like so if you do file against it it's gonna just say data if we whoops hit the microphone sorry about that if noise came out but if we put something before this like gif 8:7 which is the magic bytes for a gif file and run this again and do file against it and now registers as a gif because those bytes came first so if we do xxd here we can see it so let's make this code vulnerable so in order to do that first we'll need to have a object like with a destruct call so what I'm going to do is when I go into my last video that was PHP on Sierra lies login dot PHP I'm just going to include this and all this is going to do is destruct and we got file name and username we can probably get this out we can do foul name and then we will write F name to file append I guess and I'm also echoing destruct called so you know it called so we go in to upload dot PHP and just do include and then we called it logging dot PHP and all we have to do now is create the exploit so let's put the pain then please subscribe Jennifer and then let's look at logging dot PHP we have to create the class called log file so instead of test class this is going to be log file and if you feel lost right now I would highly recommend watching the introduction to PHP serialization because this where we went over it so I'm going to create the name to filename and we can call this root slash please subscribe sub scribe txt and then let's say the F name we'll call this F contents doesn't matter it's just more like I guess may be easier for you to understand if the variable names mean something so f contents and support me on patreon so now we got the pop chain created we can change the test class to be here so we want this to be log file and then when we do PHP Jennifer Oh CD please subscribe PHP this we can xxd test not far and we can see everything looks like it is in order so let's just move this to be a test dot gif and let's start the image upload and upload the image so let's do PHP - s1 27001 on port 80 and then if we just go to localhost we can select our image so if we go root PHP fer please subscribe test gif and upload we see the file is in here and we go into uploads we can see it is if we look at let's see it was root slash please subscribe so LS / root grep for please we didn't trigger anything and that's because we didn't make that phone call yet when we use this stream wrapper and we're gonna have an issue with the script as is because we're setting the upload path to be this and our base name like this so even if we could control the file name completely it would look something like uploads slash for a colon slash slash file name tag slash something alright test gift / something so this doesn't work generally though in like file upload things you'll have something to delete a file unlink of file so let's just create some code to delete a file so let's go vim delete PHP and we can do PHP question mark unlink and we'll do get hip sack so it's going to attempt to delete the file upset all right delete the file whatever you call it check with so we can test this let's just do touch upload / delete me dot txt and I'm actually going to go to a new pane we can split this I likes playing like this so if we go into uploads watch - n will say every second do it LS and now if we curl localhost say if sec is equal to uploads / delete me dot txt oh we have to specify delete PHP delete dot PHP question mark yep sec like that run this and we delete the file so if we try to delete test gif it will delete normally so we just deleted it so I'm gonna press ctrl R to re-upload this now if we do pH AR colon slash slash test dot gif it's going to delete this normally because we didn't specify a file afterwards or maybe the script just arrow down let's see unlink let's see and fur so because we had an error and how the wrapper is used it just failed because it's expecting a zip and to go into the zip so if you looked at like test gif this is a zip file and far is meant to go inside a zip files so it wants to see this and then see like test dot txt which which is the file inside of it if that makes sense so let's go back to this uploads and whoops right here well you have this fur and I'm just going to put slash test this one doesn't matter and we did not get code execution but a colon slash slash test txt I expected code execution what happened so it went fine but it didn't say [Music] something and we don't have please subscribe so we probably have an error and oh this doesn't have the object so in this case the login dot PHP wasn't in my quote-unquote class path of delete PHP so it couldn't create that object so let's just put test dot gif again and I can do watch - n1 LS / root grip please but this will probably throw the error and oh we didn't have to specify a file so sometimes when you do the file operation with this you have to put a file after the thing but we didn't there so you can see please subscribe was created so if we look at this we can see we abused that whole object so the last thing I want to go over is putting a image file in this so right now we're only doing the extension if we do file against it it's going to match this but if you open up a file browser where is it listen no that's video file manager and we go here test gif it's going to look like this that's disgusting but you want to put it in an image so maybe something like this so if we go back into gen far so go here we can say image is equal to file get contents and then we'll call it what do we call it LS please subscribe image jpg image jpg and here we can just say image dot that so concatenate the file image JPEG with this PHP halt compiler command so now when we do PHP jennifer undefined use of instant did not like that let's just do file get contents image jpg I'm guessing a dent like the variable name image there we go so if we do file on test for we see it is a JPEG and if we go here and open test dot fur we get the image itself so let's just move this to be test jpg and again changing extension doesn't change how it behaves so let's go and upload this one so let's go upload back and let's do tests a PG upload and if we go to localhost / uploads / test jpg you can see the image there so let's start this watch command again and instead of delete let's do md5 sum so v md v dot PHP PHP include logging PHP that's just going to have the class that we can create a pop chain too and if this was a framework we could just use an existing code ignite or something out of PHP GGC gadget chain finder or something I can look at it after we do this real quick so what I want to do oh we want to do md5 file and then get EPS ACK so this one now when we do the curl command instead of delete we called it md5 and it's now test jpg and we can put something where it's expecting we see to start cold and then you saw the file pop-up so we can delete / root please subscribe you can see disappear to my bottom right pane you make this curl and we get it and again the only code in there was this md5 file and then logging looks like this nothing overly malicious so hope you enjoyed all that and again this is much more beneficial when you use it against like a framework and then you can just pull up a gadget chain out of this tool you can see them all Drupal CodeIgniter Swit Mahler symphony wordpress zand it's a bunch of them to create gadget chains to get your objective so the last thing I want to get into is prevention and protecting yourself so the best way to do this is just creating a PHP script to see what Stream wrappers you have registered and I do this from the web server and not like PHP command my mode because there may be various configuration file differences so this is how to know exactly what's running on your web server and PHP info may actually say this right off the bat so let's just check this real quick so if we do localhost and test dot PHP let's look at pH a are registered PHP streams so these are the PHP streams that are registered there is another command you could do that that is VAR x ports stream get wrappers and if you run this we curl localhost test dot PHP maybe echo is it for export yep that exports we can see what's registered here so this is exactly what PHP info is telling us however if we want to unregister something we can just call the command stream wrapper unregister I thought that was it we'll try it it's weird that's not being highlighted st REM wrapper unregister okay yep it is so before we had number nine which is far and that is gone so you may want to put this in like config dot PHP and disabled ones you don't use so like if we did HTTP as well as FTP again you can see those disappear so what I'm going to do is save this as config.php and what we can do is go back into md5 dot PHP and if we just had included config dot PHP and I'm going to put an echo here so we print the results of this and I think it was here we did it where is that curl this md5 dot PHP we got no response and that's probably nope just fail to open string no such file or directory I just want to make sure I didn't delete the file so we want upload slash test JPEG let's make sure this exists the file does exist and again if we xxd that file whoops we can definitely see this is the same file we used earlier with our code except it's no longer triggering code execution because we deleted it so let's double check that with root please subscribe watch run where's that far there it is doesn't execute and if we go back into md5 take out this config dot PHP we see it works so with that being said that is the video hope you guys enjoyed it take care and I will see you all next time

Original Description

Previous Video: Intro to PHP Deserialization - https://youtu.be/HaW15aMzBUM 00:27 - Little bit of history about PHP Serialization 02:13 - Why is uploading Phar Files different than normal file upload vulns? 02:42 - What are Phar Files? 03:38 - Prevention by disabling the phar stream wrapper 04:00 - Going over the PHP Upload script created for this video 06:15 - Reviewing a PHP Script to generate malicious PHAR Files 07:20 - Setting our PHP Config to allow PHAR to operate in Read/Write mode 08:00 - Showing we can control the beginning bytes of the PHAR File to trick magic byte checks 08:40 - Copying the logging class from the intro to deserialization video into our upload script 09:35 - Adding the PHP Object/POP Chain to our PHAR Generation Script 11:30 - Starting a PHP Webserver so we can upload our image 12:20 - Explaining why the existing image upload script, isn't vulnerable. 13:00 - Creating a seperate script which performs the file operation unlink() against user input 14:45 - Trying to trigger this vulnerability via Curl (doesn't work yet, forgot to include our PHP Class) 16:00 - Adding the PHP Object to our script 17:17 - Begin of adding a phar file to a legitimate image 19:00 - Modifying our PHAR File to also be a valid image 20:12 - Triggering the PHAR Unserialize with our image, but this time with a different file operation (md5_file) 21:50 - Mentioning PHPGGC which is handy to utilize with this exploit 22:13 - Showing how to unregister PHP Stream wrappers to prevent this attack
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches advanced PHP deserialization techniques using Phar files, including code execution, stream wrapper usage, and vulnerability exploitation. It also covers prevention methods and demonstrates how to use various tools such as xxd, Far Archive, and PHP Hall Compiler. By watching this video, viewers can learn how to use Phar files for code execution, exploit vulnerabilities, and prevent code execution by disabling the phar stream wrapper.

Key Takeaways
  1. Set allowed extensions to gif or JPEG
  2. Check if file exists in temp directory
  3. Move file from temp to upload path
  4. Create a Far archive with stub as PHP Hall compiler
  5. Serialize a test class with image or text
  6. Create a pop chain to exploit a vulnerability
  7. Use a stream wrapper to manipulate file uploads
  8. Delete a file using the unlink function
  9. Upload a file using PHP
  10. Create a new file using touch
💡 The video highlights the importance of disabling the phar stream wrapper to prevent code execution and demonstrates how to use various tools and techniques to exploit vulnerabilities and manipulate file uploads.

Related Reads

📰
I Accidentally Stumbled Into an AI Side Hustle — Here's Everything I've Learned
Learn how to monetize AI tools by reselling AI API access, a legit business model that doesn't require coding skills
Dev.to AI
📰
How I Made $700 in 2 Weeks Selling AI Automation Templates
Learn how to create and sell AI automation templates to generate passive income, with a real-life example of making $700 in 2 weeks
Dev.to AI
📰
MCP Server Tutorial: Build Your Own AI Tools in 30 Minutes
Learn to build a custom MCP server with AI tools in 30 minutes using TypeScript and NeuroLink SDK
Dev.to · NeuroLink AI
📰
AI didn’t replace the work for me. It moved the stress to a different place.
AI automates initial work phases but shifts stress to evaluation and refinement, making it essential to adapt and manage new challenges
Reddit r/artificial

Chapters (20)

0:27 Little bit of history about PHP Serialization
2:13 Why is uploading Phar Files different than normal file upload vulns?
2:42 What are Phar Files?
3:38 Prevention by disabling the phar stream wrapper
4:00 Going over the PHP Upload script created for this video
6:15 Reviewing a PHP Script to generate malicious PHAR Files
7:20 Setting our PHP Config to allow PHAR to operate in Read/Write mode
8:00 Showing we can control the beginning bytes of the PHAR File to trick magic byt
8:40 Copying the logging class from the intro to deserialization video into our upl
9:35 Adding the PHP Object/POP Chain to our PHAR Generation Script
11:30 Starting a PHP Webserver so we can upload our image
12:20 Explaining why the existing image upload script, isn't vulnerable.
13:00 Creating a seperate script which performs the file operation unlink() against
14:45 Trying to trigger this vulnerability via Curl (doesn't work yet, forgot to inc
16:00 Adding the PHP Object to our script
17:17 Begin of adding a phar file to a legitimate image
19:00 Modifying our PHAR File to also be a valid image
20:12 Triggering the PHAR Unserialize with our image, but this time with a different
21:50 Mentioning PHPGGC which is handy to utilize with this exploit
22:13 Showing how to unregister PHP Stream wrappers to prevent this attack
Up next
How AI Is Transforming Analytics in Tableau Cloud & Server
Salesforce Product Center
Watch →