Technology sharing: The use of PHP serialization/object Injection Vulnerability

This article is a short story about PHP serialization/object Injection Vulnerability Analysis, which describes how to get a remote shell for a host. If you want to learn more about PHP serialization, please visit this link. If you want to test this vulnerability yourself, you can do so through XVWA and Kevgir.

The first step in exploiting the exploits, we begin to test whether the target application has PHP serialization. In order to assist the test, we used the Burpsuite superserial plugin, download the address here. It will passively detect the existence of PHP and Java serialization.

Analysis

We have detected that PHP serialization is used in the application, so we can start to verify that the application code contains a remote code execution vulnerability. It is important to note that the serialized object is taken from the parameter "R":

$var 1=unserialize ($_request[' R ');

The deserialization and Eval are then performed:

Eval ($this->inject);

Next, execute:

echo "
". $var 1[0]."-". $var 1[1];

With these, if we bypass the PHP serialization object of parameter R, then we can get the code execution vulnerability!

< PHP    error_reporting (e_all);   Class phpobjectinjection{public       $inject;        function __construct () {        }        function __wakeup () {           if (isset ($this->inject)) {                eval ($this- inject);}}}    R=a:2:{i:0;s:4: "Xvwa"; i:1;s:33: "Xtremevulnerable Web Application";}   if (Isset ($_request[' R '))) {          $var 1=unserialize ($_request[' R ']);               if (Is_array ($var 1)) {            echo "". $var 1[0]. "-". $var 1[1];       }   } else{       echo "parameter is missing";    }? >

Exploit exploits

To exploit this vulnerability, we created a simple PHP script that automatically generated the PHP serialization payload and ran the command we wanted on the target remote host. Then I created a generic PHP bounce shell, with the following download addresses:

Http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz

Note: you need to upload this file to the Web server, change the local IP and port in the bounce shell script, and use the following code:

Demo

Now that we have the script ready, we can execute it to get a bounce shell on the remote host to execute the command remotely!

The video shows as follows:

* Reference Source: CD,FB Dawner compilation, reprint please specify from Freebuf hack and Geek (freebuf.com)

