Advanced PHP Deserialization - Phar Files

preview_player
Показать описание
00:27 - Little bit of history about PHP Serialization
02:13 - Why is uploading Phar Files different than normal file upload vulns?
02:42 - What are Phar Files?
03:38 - Prevention by disabling the phar stream wrapper
04:00 - Going over the PHP Upload script created for this video
06:15 - Reviewing a PHP Script to generate malicious PHAR Files
07:20 - Setting our PHP Config to allow PHAR to operate in Read/Write mode
08:00 - Showing we can control the beginning bytes of the PHAR File to trick magic byte checks
08:40 - Copying the logging class from the intro to deserialization video into our upload script
09:35 - Adding the PHP Object/POP Chain to our PHAR Generation Script
11:30 - Starting a PHP Webserver so we can upload our image
12:20 - Explaining why the existing image upload script, isn't vulnerable.
13:00 - Creating a seperate script which performs the file operation unlink() against user input
14:45 - Trying to trigger this vulnerability via Curl (doesn't work yet, forgot to include our PHP Class)
16:00 - Adding the PHP Object to our script
17:17 - Begin of adding a phar file to a legitimate image
19:00 - Modifying our PHAR File to also be a valid image
20:12 - Triggering the PHAR Unserialize with our image, but this time with a different file operation (md5_file)
21:50 - Mentioning PHPGGC which is handy to utilize with this exploit
22:13 - Showing how to unregister PHP Stream wrappers to prevent this attack
  1. IppSec
Рекомендации по теме
Advanced PHP Deserialization 0:26:06

Advanced PHP Deserialization - Phar Files

Natas 33 | 0:16:38

Natas 33 | PHP Archive (PHAR) Deserialization Attack!! [END] | OverTheWire Wargames

phpBB 3.2.3 Phar 0:00:52

phpBB 3.2.3 Phar Deserialization to RCE Exploit

It's a PHP 0:47:26

It's a PHP Unserialization Vulnerability Jim, but Not as We Know It

How to Exploit 0:19:22

How to Exploit PHAR Deserialization

Intro to PHP 0:29:46

Intro to PHP Deserialization / Object Injection

Insecure Deserialization vulnerabilities: 0:07:01

Insecure Deserialization vulnerabilities: 10 Using PHAR deserialization to deploy a custom gadget

Computer Hacking - 3:10:47

Computer Hacking - kpop (PHP deserialization)

Get auth Magento 0:00:54

Get auth Magento RCE using deserialized PHAR files

Using PHAR deserialization 0:02:45

Using PHAR deserialization to deploy a custom gadget chain (Video solution)

Using PHAR deserialization 0:03:13

Using PHAR deserialization to deploy a custom gadget chain

PHP PHAR - 0:04:14

PHP PHAR - file_exists can be dangerous

Exploiting PHP Object 0:03:41

Exploiting PHP Object Deserialization | How To Be Bug Bounty Hunter

phar:// PHP Unserialization 0:18:19

phar:// PHP Unserialization Vulnerability

Web Security Academy 0:31:38

Web Security Academy | Insecure Deserialization | 6 - Exploiting PHP With A Pre-Built Gadget Chain

PHP : Extracting 0:01:24

PHP : Extracting files from .phar archive

Deserialization Attack | 0:04:48

Deserialization Attack | Serial Killer | Tamuctf

PHP Object Injection 0:14:39

PHP Object Injection & Serialization: Python Web Hacking | Natas: OverTheWire (Level 26)

Creating Personalized Phar 0:09:08

Creating Personalized Phar Files in PHP

Phar archives in 0:03:17

Phar archives in VS Code via PHP Tools

Composer.phar difference between 0:01:23

Composer.phar difference between | and ||

PHP : Generating 0:01:43

PHP : Generating a PHAR for a simple application

Developing a custom 0:02:40

Developing a custom gadget chain for PHP deserialization

Web Security Academy 0:25:32

Web Security Academy | Insecure Deserialization | 4 - Arbitrary Object Injection In PHP

Комментарии
Автор

I love when you do videos that go into specific subjects like this. 👍

DividesByZer
Автор

Thank you for including a way to eliminate this vulnerability!

SomeGuyInSandy
Автор

Can I get a IppSec-Tshirt with the quote: "I expected code execution...#sadface" ?? xD That tone of voice was just perfect. ;D

maxmusterspace
Автор

Amazing video.. i would like if you could continue this series..

neoXXquick
Автор

Great content 👍. All your videos are awsome. And really thanks for your support 👍

adhilazeez
Автор

Thank you, your last video are really cool ! I hope you will do more like that !

I just have a question : in a black box testing, is there a way to know that there is a vulnerability or do you just try it and see if it works ?

khneo
Автор

Thanks heaps for this, very interesting.

I am just wondering, how are the methods "unlink", "md5sum" triggering the destruct magic method of the object you're creating? Is is apart of the phar:// read processing? When is the object unset?

When is it possible to use phar://, only with methods that involve reading data?

supercoolgames
Автор

Hi. Would be great to have a little bit more volume on the audio. Otherwise, really great.

khalat
Автор

Its been 2yrs of this video, learned a lot from it. But it somehow doesn't work with php 8.1, it works good with php 7.4 . I think they changed something in new update so it doesn't work. I spend to find why it is not working (I was working with php8.1), then ran it with php7.4 and voila, magic happened. Thanks for such quality learning meterial...

rawbytes
Автор

You can't do this if you don't know the name of the class that's already present on the server, right?

xcffee_
Автор

when will you do smasher2? is there going to be unintended routes in the video

nickomode
Автор

Can you teach me step by step for ethical hacking or pentesting

TheMrchement
Автор

What application do you use to edit phar file

Matthe