Unserialize in php

Using gadget chains it is possible khổng lồ achieve remote code execution in web application that unserialize user đầu vào, even without having the complete source code.

Bạn đang xem: Unserialize in php

Serialization

In PHPhường., serialize converts a data structure such as an array or object into lớn a string. The function unserialize converts a string inkhổng lồ a data structure. This is useful to pass data structures through a method that does not tư vấn PHPhường objects, but does support text. In website applications, it’s often used to pass information from one page to lớn another. In that case, serialized data may occur in a hidden size element or a cookie.

The data format is custom for PHP.. Here’s an example:


$myObj = new stdClass();$myObj->hello = "world";emang đến serialize($myObj);
This outputs a piece of text that represents the contents of $myObj:


O:8:"stdClass":1:s:5:"hello";s:5:"world";
By calling unserialize on this text, we get the original object bachồng.

Vulnerabilities

If a website application unserializes user input đầu vào, there are two ways this can be vulnerable. First, the unserialize function is pretty complex. It has functionality to lớn create any type of PHP object, bypassing the normal ngắn gọn xúc tích for this. It can handle reference loops và resource allocation. This is hard khổng lồ vì correctly when faced with untrusted input, và thus unserialize is particularlyprone khổng lồ securitybugs. These typically crash the PHPhường process, and may result in remote code execution for an attacker who’s really good with buffer overflows & bypassing ASLR.

Another class of vulnerabilities arise from the possibility khổng lồ create any object, on which the destructor is called as soon as it’s discarded from memory.

Creating arbitrary objects

To get the serialized representation, the application created some valid PHPhường object & serialized it. When doing the reverse, the text representation is converted khổng lồ a PHP object. PHP handles this without involving any business xúc tích và ngắn gọn. No constructors are called. This means that if we control the text representation, we can create PHP. objects that would not be possible with normal business lô ghích flow.

In the following example, we create a user named “admin”, even though that wouldn’t be possible with the normal business ngắn gọn xúc tích.


class User function __construct($username) if ($username == "admin") throw new InvalidArgumentException($username); $this->username = $username; $u = unserialize("O:4:"User":1:s:8:"username";s:5:"admin";");var_dump($u);
This outputs:


object(User)#1 (1) <"username">=> string(5) "admin"

Gadget chains

We saw that we could invoke arbitrary destructors with arbitrary data. However, often we don’t know which destructors are present in application code, & destructors that directly Call a user-supplied function are pretty rare. To exploit this vulnerability, we want a destructor of which we know that it runs our payload. That’s where gadget chains in commonly used projects come in.

Even if we don’t have sầu the application source, it’s pretty likely that the application uses Laravel, Symfony, or Zover Framework. It probably uses open-source third các buổi tiệc nhỏ components, such as Monolog for logging, or Doctrine for database access. Since these components are open source, we can take a look at the destructors & pichồng the destructors that are useful. For example, Zover used to have a destructor that can remove sầu files.

Such a useful piece of code is called a gadget. Sometimes, the destructor does not bởi vì directly what we want, but we have to lớn combine a few pieces to get what we want. Combining multiple pieces of code in this way is called a gadget chain.

Luckily, we don’t have sầu lớn find our own gadget chains, and there is a tool phpggc that knows several gadget chains and can create payloads for us.

Xem thêm: Bí Quyết Giữ Thực Phẩm Tươi Ngon Trong Tủ Lạnh Đảm Bảo Tươi Ngon

Example chain: Monolog/RCE2

The gadget chain Monolog/RCE2 works creates a chain of three objects:

The BufferHandler->handle() has functionality khổng lồ run custom processing functions on each record. We can use this khổng lồ execute arbitrary functions. The chain of objects is needed to Call the handle method from a destructor. The destructor of SyslogUdpHandler calls $socket->close(), which calls $handler->handle(), which calls our payload.

As you can see, calling handle with the data we want from a destructor is already quite a complex chain. It combines objects in unusual ways; normally, the socket attribute in SyslogUdpHandler contains an UDP socket object, but now we injected another type of object.

It’s not straightforward khổng lồ create such a gadget chain from within PHP.. For example, SyslogUdpHandler->socket is protected, so it’s not possible to lớn phối this property from outside the class. Changing this lớn public makes it possible to lớn mix the property, but changes the serialized representation in an incompatible way.

Unserialize vulnerability in ebooks webshop

I found an unserialization vulnerability in an ebooks webshop. The site showed a các mục of various ebooks for sale, & clicking on one of them showed the details. The bottom of the details page showed link to lớn previously viewed books.

*

This was implemented by sending a PRODUCTHISTORY cookie with serialized contents, which contains information on the previously viewed books. The content of the cookie look as follows:


As you can see, this is a serialized array with thumbnail & title information of a book. The website application supposedly calls unserialize on the nội dung of this cookie, which gives the opportunity khổng lồ create objects và Điện thoại tư vấn destructors.

Finding the right payload

I couldn’t find information on what components or frameworks were used by this application. I simply tried all payloads that phpggc had. With most payloads, nothing happened. Both Monolog/RCE1 and Monolog/RCE2 gave a 500 internal hệ thống error. I came to lớn the conclusion that the application is using Monolog and correctly unserializing the objects, but something else went wrong.

Correctly encoding the payload

When trying payloads, I created them with phpggc & copy-pasted them into Burp. This didn’t work perfectly, và after a while I discovered that the payloads contain non-ASCII characters, in particular null-bytes. These disappear when copy-pasting, so I was not using the correct payload.

I downloaded Monolog so I could try various payloads locally. While doing this, I discovered that payloads that looked the same gave sầu different behaviour, which gave sầu me the idea that there could be invisible characters in the payload.

My solution was to lớn create a script that urlencodes & pipe the output of phpggc directly khổng lồ urlencode and onto lớn the clipboard:


$ phpggc Monolog/RCE1 a b | urlencode | pbcopy
Since then I learned that phpggc has flags to perform encoding:


I pasted this inlớn the PRODUCTHISTORY cookie, sent the request, and got activity on the Collaborator client:

*

It worked! The URL was retrieved, showing that the payload was executed.

Conclusion

Several things I learned:

Unserialize can lead lớn RCE, even if the attacker does not have sầu access khổng lồ the source code. The unserialize payloads contain non-ASCII bytes & need khổng lồ be correctly escaped. Copy-pasting can’t be trusted to lớn transfer everything correctly. Finding & creating your own gadget chains is pretty hard, but luckily there is a good tool that does it for you.

Xem thêm: Phần Mềm Xlstylestool For Windows 8, Download Tải Kutools For Excel Free Download

I reported this issue khổng lồ the owner of the ebook shop. They took the site offline và rewarded me with a bounty. However, the same software is used on other ebook webshops, and the vulnerability remains open on at least ten other sites that run the same software.


Chuyên mục: