Advanced PHP Deserialization – Phar Files

Previous Video: Intro to PHP Deserialization – https://youtu.be/HaW15aMzBUM 00:27 – Little bit of history about PHP Serialization 02:13 – Why is uploading Phar Files different than normal file upload vulns? 02:42 – What are Phar Files? 03:38 – Prevention by…

0
(0)

Previous Video: Intro to PHP Deserialization – https://youtu.be/HaW15aMzBUM
00:27 – Little bit of history about PHP Serialization
02:13 – Why is uploading Phar Files different than normal file upload vulns?
02:42 – What are Phar Files?
03:38 – Prevention by disabling the phar stream wrapper
04:00 – Going over the PHP Upload script created for this video
06:15 – Reviewing a PHP Script to generate malicious PHAR Files
07:20 – Setting our PHP Config to allow PHAR to operate in Read/Write mode
08:00 – Showing we can control the beginning bytes of the PHAR File to trick magic byte checks
08:40 – Copying the logging class from the intro to deserialization video into our upload script
09:35 – Adding the PHP Object/POP Chain to our PHAR Generation Script
11:30 – Starting a PHP Webserver so we can upload our image
12:20 – Explaining why the existing image upload script, isn’t vulnerable.
13:00 – Creating a seperate script which performs the file operation unlink() against user input
14:45 – Trying to trigger this vulnerability via Curl (doesn’t work yet, forgot to include our PHP Class)
16:00 – Adding the PHP Object to our script
17:17 – Begin of adding a phar file to a legitimate image
19:00 – Modifying our PHAR File to also be a valid image
20:12 – Triggering the PHAR Unserialize with our image, but this time with a different file operation (md5_file)
21:50 – Mentioning PHPGGC which is handy to utilize with this exploit
22:13 – Showing how to unregister PHP Stream wrappers to prevent this attack

0 / 5. 0

Leave a Reply

Your email address will not be published. Required fields are marked *