PHP Object Injection & Serialization: Python Web Hacking | Natas: OverTheWire (Level 26)

Key Takeaways

PHP object injection through the serialized and uncivilized PHP functions can be super dangerous especially if there's complete user control over what data is being serialized keep watching to see how we can take advantage of this to get remote code execution on a vulnerable web app right now what's up everybody my name is jon hamm and we're looking at natus level 26 so we're prompted with this draw a line functionality and it looks like it will let us just enter coordinates for maybe a line that we want to draw and it looks like the application once we submit this we'll go ahead and create an image that is displayed for us with that line or whatever created so let's take a look at the source code let's see what's wrong with it let's see what we can do because this is another really cool vulnerability in PHP objects well let's take a look at the source code HTTP had HTML stuff here not HTTP are just HTML whatever long acronym a bunch of H words or series of words an acronym so the PHP code here is using a little bit of object-oriented programming you can see we have a class here called class logger and this has some variables set up private that it uses only inside that class or inside that object and they're denoted by the this keyword PHP uses the arrow notation to denote the use of its own private variables inside of an object or inside of a class so it creates a file looks like that's going to use to log based off of temporary directory and temporary file that we create here and it keeps track of the session supposedly it has a function log that will display stuff there and destruct will okay save it to the file and write it all up that's fine so construct is a constructor destruct is the destructor constructor happens first when the object is first created destructor happens once the object is destroyed or once it's done once it's not in use anymore these underscore underscore functions are PHP magic object functions so they are like necessary and built-in for PHP keep that in mind because that's crucial to this attack that we're going to be looking at with our object serialization and deserialization there are codes to show an image it looks like it just includes that HTML image elements draw image it looks like PHP functions to use a color and create a new PNG image etc etc and draw from user data it looks like another custom function here it takes advantage of these x coordinates and Y coordinates that we pass along looks like it's passing it through that to the get method and it goes to head and draws a line just like that and it looks like it actually does this with a drawing cookie we can see it's testing if this cookie drawing it exists in the in the cookie array then it uncie realises this data its basic C Ford encoded to begin with so that's why they have to decode it here and that's important to note because uncie realizing data that we have complete control over is a huge vulnerability because that can lead to some unsafe stuff happening that can lead to some PHP remote code execution and will take advantage of it in a really really cool way as we get into it but other than that it just creates this image in line store data again taking advantage of these x1 y1 coordinates storing them as an object and creating that as a drawing cookie that we have in base64 so you can see this store data function does that with an empty bit or a little bit of nothing to begin with or creates an empty array but it will create a serialized form of that object in base64 encoded the page itself will create a session and it looks like it's using our session ID as the actual location that it's loading the image file from so let's play around with the code let's see how we can take advantage of this and let's see how we can manipulate it let's get over to our script hit ctrl B to run it set the syntax to PHP here cool so let's see how this looks if we pass along some of those arguments here let's create another request we're going to change the URL to include x1 can equal 0 + y1 can equal 0 x2 can equal like 500 just like we've used before and y2 can equal 500 now let's go ahead and print that see how this looks you can see it's using our image source here that's using from that PHP function and it's using that session ID supposedly let's actually go ahead and take a look at that session cookies PHP session ID and okay you can see that q1 c9 a is the same thing that it's using right there but take note that we can control this we can actually inject something into this like that session ID is just a cookie so let's change it to something like try some local file inclusion let's go up the parent directory a ton see if we can read out it's a tree password I don't know what this even would do because it can't create a PNG from that but we get a bunch of warnings and PHP errors session to start the session ID is too long contains little characters looks like the only valid characters are alphanumeric and hyphens and commas so obviously it can't create that stream and it's not a PNG so it can't use this image PNG function so that doesn't really work out very well for us but we can get into something else with that object this logger class because that looks like something that's being considered serialized and actually like loaded into PHP and we have complete control over it we can take advantage of that because it's just a cookie right we can see our original get request here let's see the cookies that we have before we supposedly submit the form the request cookie jar has a session ID after that but if we take a look at this session cookies following our request let's try and run this request cookie jar there's a cookie for PHP session ID when we have another one drawing that looks like base64 encoded data so let's go ahead and take a look at what that really is let's get drawing out of here and let's go ahead and import base64 so we can decode it and take a look at what that code is basics t4b 64 decode run this incorrect padding let's see what that actually looks like maybe it's not including the equal sign of the very end or 2rl encoding there it is so let's decode that with URL Lib you are a Lib dot quote and maybe unquote I believe I do that constantly it is unquote okay now we have our equal sign perfect let's base64 decode that sweet so we have strings and objects and things all created supposedly in an array but this is PHP serialized data so let's take advantage of it with our logger method if we can steal that code this class logger we can actually change what these variables are and what they do and if we give that to the cookie that drawing cookie and the PHP application will like uncie realize that data for us it'll load up this logger and we'll try and write that message and we may be able to take advantage of what we actually write to a file and we can actually essentially get some code on the server and maybe run our own PHP code because we are writing to a file with this so let's steal this logger class I'm going to put this in another file I'll call it 26 under school tool dot PHP and set the syntax to PHP by adding this PHP tags and stuff above it so let's indent get proper whitespace here so let's create a new object for that let's say new logger can be just object object can equal new logger and then let's go ahead and echo out the base64 version actually let's not let's not encode it yet let's make sure we can see that serialize data let's just run serialize on our object cool so in the shell over here let's run our 26 tool might just run PHP 7.0 26 tool and I'm getting a couple PHP warnings in there so let's actually just redirect Center error to elsewhere okay so we see we have a logger object and it's creating keeping track of these files here so let's go ahead and it changed some of these variables because we can take advantage of them and have them do interesting things like write to a different file and write new things like PHP code so let's do some PHP code injection like that let's put this in a relative path that we know we can access something like image right because it's trying to load out of that image directory yep image files are from image forward slash natus in the session ID so let's put something at like image winner dot PHP and we can have some PHP code that's being written in the initialization or exit message let's use that regular PHP syntax and let's run our system command cat etcetera and that is web pass for the next level cool that should get us some commands running in this image pointer dot PHP file so now that that's been updated let's take a look at what the output of the script is okay logger we got the object putting it at that file and looked like it's just running PHP code perfect now let's go ahead and base64 encode this okay a lot of stuff here but we can copy this and we can set this to our drawing variable in our session cookie session dot cookies equal I'm sorry drawing right because that's the cookie that we're working with set that equal to that base64 string check out the response here and let's go ahead and run this in the build output do I have an error anywhere I do see what we got oh I may not have included my semicolons here yet the pH in that PHP code so now we can go back and get actual proper base64 code here perfect let's go ahead and change that now when we run this script we have a new fatal error cannot use object of type logger as an array okay and that makes sense because they're just trying to read that file as a array right in the code it looks like it tries to read that out as an array but we know that that means that our code successfully executed we know that we got that object to unsee realized so now we should have a new file supposedly at image winner dot PHP so if we get that and check out the response we've got the next password heck yeah so I actually had use this for a little bit of testing earlier some Nada's 26 passengers up here but that is the naddis 27 password 5/5 TB etc etc looks like we had it a couple more times from whatever reason but that means that hey we won there was our attack we did some PHP object manipulation with deserializing objects and take an advantage of some of those cool PHP magic functions so if you want to learn more about this attack it is PHP objects D serialization I want to make sure I can actually type this PHP object D serialization and you'll see a ton of write-ups on this you'll see a lot of Oh wasp articles etc etc and they all have that same methodology where there is a class or a little bit of object-oriented programming set up and they're using a PHP magic method like underscore underscore construct or destructor to string etcetra etcetra so totally check those out because you'll see them a lot in CTF that is a common attack if you see the uncivilized function in PHP you should automatically know something is wrong especially if you can control the data that's inside because that is going to be your attack vector so SuperDuper cool thank you guys for watching I want to give a shout out to my supporters real quick thank you to all of these people Spencer Clark Gayle Horowitz ok Attila or Gaddafi and ruler unruly destroyer of worlds madam chair Jen Rob Timothy County and Jacob H etc if I butchered name I'm sorry but hey you are awesome thank you so much for supporting me thank you for being willing to go on this journey with me $1 for patreon a month will give you the shout-out just like this at the end of every video $5 and more will give you early access to things that I'm trying to push out in the YouTube before they go live if in case I record anything in advance and YouTube is scheduling so thank you thank you thank you hey if you did like this video please do press that like button maybe leave me a comment let me know what you think what else you'd like to see what we could have done better how you solve this at cetera if you're willing to subscribe and if you really want to support me check me out on patreon thanks again guys see you later video