Lab: Exploiting PHP deserialization with a pre-built gadget chain

PRACTITIONER

This lab has a serialization-based session mechanism that uses a signed cookie. It also uses a common PHP framework. Although you don't have source code access, you can still exploit this lab's insecure deserialization using pre-built gadget chains.

To solve the lab, identify the target framework then use a third-party tool to generate a malicious serialized object containing a remote code execution payload. Then, work out how to generate a valid signed cookie containing your malicious object. Finally, pass this into the website to delete the morale.txt file from Carlos's home directory.

You can log in to your own account using the following credentials: wiener:peter

Solution

  1. Log in and send a request containing your session cookie to Burp Repeater. Highlight the cookie and look at the Inspector panel.
  2. Notice that the cookie contains a Base64-encoded token, signed with a SHA-1 HMAC hash.
  3. Copy the decoded cookie from the Inspector and paste it into Decoder.
  4. In Decoder, highlight the token and then select Decode as > Base64. Notice that the token is actually a serialized PHP object.
  5. In Burp Repeater, observe that if you try sending a request with a modified cookie, an exception is raised because the digital signature no longer matches. However, you should notice that:
    • A developer comment discloses the location of a debug file at /cgi-bin/phpinfo.php.
    • The error message reveals that the website is using the Symfony 4.3.6 framework.
  6. Request the /cgi-bin/phpinfo.php file in Burp Repeater and observe that it leaks some key information about the website, including the SECRET_KEY environment variable. Save this key; you'll need it to sign your exploit later.
  7. Download the "PHPGGC" tool and execute the following command:

    ./phpggc Symfony/RCE4 exec 'rm /home/carlos/morale.txt' | base64

    This will generate a Base64-encoded serialized object that exploits an RCE gadget chain in Symfony to delete Carlos's morale.txt file.

  8. You now need to construct a valid cookie containing this malicious object and sign it correctly using the secret key you obtained earlier. You can use the following PHP script to do this. Before running the script, you just need to make the following changes:
    • Assign the object you generated in PHPGGC to the $object variable.
    • Assign the secret key that you copied from the phpinfo.php file to the $secretKey variable.
    <?php $object = "OBJECT-GENERATED-BY-PHPGGC"; $secretKey = "LEAKED-SECRET-KEY-FROM-PHPINFO.PHP"; $cookie = urlencode('{"token":"' . $object . '","sig_hmac_sha1":"' . hash_hmac('sha1', $object, $secretKey) . '"}'); echo $cookie;

    This will output a valid, signed cookie to the console.

  9. In Burp Repeater, replace your session cookie with the malicious one you just created, then send the request to solve the lab.

Community solutions

Emanuele Picariello