Advanced PHP Deserialization - Phar Files
Рет қаралды 40,623
Күн бұрынPrevious Video: Intro to PHP Deserialization - • Intro to PHP Deseriali...
00:27 - Little bit of history about PHP Serialization
02:13 - Why is uploading Phar Files different than normal file upload vulns?
02:42 - What are Phar Files?
03:38 - Prevention by disabling the phar stream wrapper
04:00 - Going over the PHP Upload script created for this video
06:15 - Reviewing a PHP Script to generate malicious PHAR Files
07:20 - Setting our PHP Config to allow PHAR to operate in Read/Write mode
08:00 - Showing we can control the beginning bytes of the PHAR File to trick magic byte checks
08:40 - Copying the logging class from the intro to deserialization video into our upload script
09:35 - Adding the PHP Object/POP Chain to our PHAR Generation Script
11:30 - Starting a PHP Webserver so we can upload our image
12:20 - Explaining why the existing image upload script, isn't vulnerable.
13:00 - Creating a seperate script which performs the file operation unlink() against user input
14:45 - Trying to trigger this vulnerability via Curl (doesn't work yet, forgot to include our PHP Class)
16:00 - Adding the PHP Object to our script
17:17 - Begin of adding a phar file to a legitimate image
19:00 - Modifying our PHAR File to also be a valid image
20:12 - Triggering the PHAR Unserialize with our image, but this time with a different file operation (md5_file)
21:50 - Mentioning PHPGGC which is handy to utilize with this exploit
22:13 - Showing how to unregister PHP Stream wrappers to prevent this attack
@DividesByZer0 4 жыл бұрын
I love when you do videos that go into specific subjects like this. 👍
@maxmusterspace6037 4 жыл бұрын
Can I get a IppSec-Tshirt with the quote: "I expected code execution...#sadface" ?? xD That tone of voice was just perfect. ;D
@SomeGuyInSandy 4 жыл бұрын
Thank you for including a way to eliminate this vulnerability!
@neoXXquick 4 жыл бұрын
Amazing video.. i would like if you could continue this series..
@adhilazeez6039 3 жыл бұрын
Great content 👍. All your videos are awsome. And really thanks for your support 👍
@khneo 4 жыл бұрын
Thank you, your last video are really cool ! I hope you will do more like that ! I just have a question : in a black box testing, is there a way to know that there is a vulnerability or do you just try it and see if it works ?
@ippsec 4 жыл бұрын
The HackTheBox videos sometimes show that -- You can normally identify it by ways applications error or don't error. But yes sometimes you just have to try it.
@khneo 4 жыл бұрын
@@ippsec phar deserialization is identified by errors usually then ? Thanks
@ippsec 4 жыл бұрын
@@khneo Probably through the user of other streamwrappers on LFI like the php filter to base64 encode and the ability to upload files... With knowing those two things, that's enough for me to know to try this.
@khneo 4 жыл бұрын
@@ippsec oh ok ! Yes it makes sense, thanks again for your amazing content :) Happy holidays/Christmas !
@UmairAli 2 жыл бұрын
You're My Inspiration ♥ :)
@supercoolgames8218 4 жыл бұрын
Thanks heaps for this, very interesting. I am just wondering, how are the methods "unlink", "md5sum" triggering the destruct magic method of the object you're creating? Is is apart of the phar:// read processing? When is the object unset? When is it possible to use phar://, only with methods that involve reading data?
@ippsec 4 жыл бұрын
Any file operation. Think of the PHAR as a ZIP File. When it goes into the ZIP File it has to unpack it and during the unpack is when the unserialize comes about. That's why i was surprised when i had code execution with unlink(phar://uploads/pharfile) -- Thought i would of had to do like phar://uploads/pharfile/test.txt to tell unlink to go inside the phar.
@supercoolgames8218 4 жыл бұрын
@@ippsec Thanks for your answer! So in the process of unpacking the phar it unserialises the injected object, then later unsets it, triggering the destruct method?
@ippsec 4 жыл бұрын
@@supercoolgames8218 I believe you are correct -- The object is destructed when the script completes as part of cleanup. The unlink() has nothing to do with the destruct. There's ways to trigger a fast destruct to force the object to destruct in memory before continuing in the script. I cover that slightly in the introduction video.
@khalat173 4 жыл бұрын
Hi. Would be great to have a little bit more volume on the audio. Otherwise, really great.
@rawbytes7356 2 жыл бұрын
Its been 2yrs of this video,learned a lot from it. But it somehow doesn't work with php 8.1,it works good with php 7.4 . I think they changed something in new update so it doesn't work. I spend to find why it is not working (I was working with php8.1),then ran it with php7.4 and voila,magic happened. Thanks for such quality learning meterial...
@0xc0ffee_ 4 жыл бұрын
You can't do this if you don't know the name of the class that's already present on the server, right?
@CodeWithComments 4 жыл бұрын
Yes, you need the source code to perform any de-serialization attacks.
@nickomode8948 4 жыл бұрын
when will you do smasher2? is there going to be unintended routes in the video
@vonniehudson 4 жыл бұрын
@ippsec I was wondering the same thing
@ippsec 4 жыл бұрын
I’ve said it on Twitter a bit and i think in the last videos comments - I am off work a few days after Christmas. I’ll probably do it then.
@nickomode8948 4 жыл бұрын
@@ippsec okay thanks for responding
@Swisha85 4 жыл бұрын
@@ippsec Bless you man. Hope you have a good Christmas.
@TheMrchement 4 жыл бұрын
Can you teach me step by step for ethical hacking or pentesting
@Matthe9256 4 жыл бұрын
What application do you use to edit phar file
@wooshbait36 3 жыл бұрын
Notepad
НОВОСТНИЧОК
Рет қаралды 7 МЛН