 PHP object injection through the serialized and unserialized PHP functions can be super dangerous, especially if there's complete user control over what data is being serialized. Keep watching to see how we can take advantage of this to get remote code execution on a vulnerable web app right now. What's up, everybody? My name is John Hammond. We're looking at Natus level 26. So we're prompted with this draw a line functionality. And it looks like it will let us just enter coordinates for maybe a line that we want to draw. And looks like the application. Once we submit this, we'll go ahead and create an image that is displayed for us with that line or whatever created. So let's take a look at the source code. Let's see what's wrong with it. Let's see what we can do because this is another really cool vulnerability in PHP objects. Well, let's take a look at the source code. HTTP HTML stuff here, not HTTP. Sorry, just HTML, whatever wrong acronym, bunch of H words, or series of words an acronym. So the PHP code here is using a little bit of object oriented programming. You can see we have a class here called class logger. And this has some variables set up private that it uses only inside that class or inside that object. And they're denoted by the this keyword. PHP uses the arrow notation to denote the use of its own private variables inside of an object or inside of a class. So it creates a file looks like it that it's going to use to log based off of temporary directory and temporary file that we create here. And it keeps track of the session supposedly, it has a function log that will display stuff there and destruct will okay save it to the file and write it all out. That's fine. So construct is a constructor destruct is the destructor constructor happens first when the object is first created destructor happens once the object is destroyed or once it's done once it's not in use anymore. These underscore underscore functions are PHP magic object functions. So they are like necessary and built in for PHP. Keep that in mind because that's crucial to this attack that we're going to be looking at with our objects serialization and deserialization. There are codes to show an image it looks like it just includes that HTML image elements draw image it looks like PHP functions to use a color and create a new PNG image etc etc and draw from user data looks like another custom function here. It takes advantage of these x coordinates and y coordinates that we pass along looks like it's passing through that through the get method and it goes to head and draws a line just like that and it looks like it actually does this with a drawing cookie we can see it's testing if this cookie drawing exists in the in the cookie array and then it unsealizes this data it's base 64 encoded to begin with so that's why they have to decode it here and that's important to note because unsealizing data that we have complete control over is a huge vulnerability because that can lead to some unsafe stuff happening that can lead to some PHP remote code execution and we'll take advantage of it in a really really cool way as we get into it but other than that it just creates this image and line store data again taking advantage of these x1 y1 coordinates storing them as an object and creating that as a drawing cookie that we have in base 64 so you can see this store data function does that with an empty bit or a little bit of nothing to begin with or creates an empty array but it will create a serialized form of that object in base 64 encoded the page itself will create a session and it looks like it's using our session id as the actual location that it's loading the image file from so let's play around with the code let's see how we can take advantage of this and let's see how we can manipulate it let's get over to our script hit control b to run it set the syntax to php here cool so let's see how this looks if we pass along some of those arguments here let's create another request we're going to change the url to include x1 can equal zero and y1 can equal zero x2 can equal like 500 just like we've used before and y2 can equal 500 now let's go ahead and print that see how this looks you can see it's using our image source here that's using from that php function and it's using that session id supposedly let's actually go ahead and take a look at that session cookies php session id and okay you can see that q1c9a is the same thing that it's using right there but take note that we can control this we can actually inject something into this like that session id is just a cookie so let's change it to something like try some local file inclusion let's go up the parent directory a ton let's see if we can read out et cetera password i don't know what this even would do because it can't create a png from that but we get a bunch of warnings and php errors session to start session id is too long contains little characters looks like the only valid characters are alphanumeric and hyphens and commas so obviously it can't create that stream and it's not a png so it can't use this image png function so that doesn't really work out very well for us but we can get into something else with that object this logger class because that looks like something that's being considered serialized and actually uh like loaded into php and we have complete control over it we can take advantage of that because it's just a cookie right we can see our original get request here let's see the cookies that we have before we supposedly submit the form the request cookie jar has a session id after that but if we take a look at the session cookies following our request let's try and run this request cookie jar there's a cookie for php session id when we have another one drawing that looks like base 64 encoded data so let's go ahead and take a look at what that really is let's get drawing out of here and let's go ahead and import base 64 so we can decode it and take a look at what that code is base 64 b64 decode run this incorrect padding um let's see what that actually looks like maybe it's not including the equal sign of the very end or it's url encoding them it is so let's decode that with url lib url lib dot quote and maybe unquote i believe i do that constantly it is unquote okay now we have our equal sign perfect let's base 64 decode that sweet so we have strings and objects and things all created supposedly in an array but this is php serialized data so let's take advantage of it with our logger uh method if we can steal that code this class logger we can actually change what these variables are and what they do and if we give that to the cookie that drawing cookie and the php application will like unserialize that data for us it'll load up this logger it will try and write that message and we may be able to take advantage of what we actually write to a file and we can actually essentially get some code on the server and maybe run our own php code because we are writing to a file with this so let's steal this logger class i'm going to put this in another file i'll call it 26 underscore tool dot php and set the syntax to php by adding this php tags and stuff above it so let's indent get proper white space here so let's create a new object for that let's say new logger can be just object object can equal new logger and then let's go ahead and echo out the base 64 version actually let's not let's not encode it yet let's make sure we can see that serialized data let's just run serialize on our object cool so in the shell over here let's run our 26 tool might just run php 7.0 26 tool and i'm getting a couple php warnings in there so let's actually just redirect uh center error to elsewhere okay so we see we have a logger object and it's creating keeping track of these files here so let's go ahead and change some of these variables because we can take advantage of them and have them do interesting things like write to a different file and write new things like php code so let's do some php code injection like that let's put this in a relative path that we know we can access something like image right because it's trying to load out of that image directory yep image files are from image forward slash natus in the session id so let's put something at like image winner dot php and we can have some php code that's being written in the initialization or exit message let's use that regular php syntax and let's run our system command cat etc natus webpass for the next level cool that should get us some commands running in this image winner dot php file so now that that's been updated let's take a look at what the output of the script is okay logger we got the object putting it at that file and looked like it's just running php code perfect now let's go ahead and base 64 and code this okay a lot of stuff here but we can copy this and we can set this to our drawing variable in our session cookies session dot cookies equal i'm sorry drawing right because that's the cookie that we're working with set that equal to that base 64 string check out the response here and let's go ahead and run this in the build output do i have an error anywhere i do let's see what we got oh um i may not have included my semicolons here yep in the ph in that php code so now we can go back and get actual proper base 64 code here perfect let's go ahead and change that now when we run the script we have a new fatal error cannot use object of type logger as an array okay and that makes sense because it is trying to read that file as a array right in the code it looks like it tries to read that out as an array but we know that that means that our code successfully executed we know that we got that object to unserialize so now we should have a new file supposedly at image winner dot php so if we get that and check out the response we've got the next password heck yeah so i actually had used this for a little bit of testing earlier um so natus 26 passers up here um but that is the natus 27 password 55 tb etc etc looks like we got a couple more times for whatever reason but that means that hey we won there was our attack we did some php object manipulation with deserializing objects and take an advantage of some of those cool php magic functions so if you want to learn more about this attack it is php object deserialization um i want to make sure i can actually type this php object deserialization and you'll see a ton of write-ups on this um you'll see a lot of o wasp articles etc etc and they all have that same um methodology where there is a class or a little bit of object oriented programming set up and they're using a php magic method like underscore underscore construct or destruct or two string etc etc so totally check those out because you'll see them a lot in ctfs that is a common uh attack if you see the unserialized function in php you should automatically know something is wrong especially if you can control the data that's inside because that is going to be your attack factor so super duper cool thank you guys for watching i want to give a shout out to my supporters real quick thank you to all of these people spencer clark gal horowitz is okay atilla or galathean ruler unruly destroy of worlds bachelor of terror gen grob timothy county and jake of age etc uh if i butchered name i'm sorry but hey you are awesome thank you so much for supporting me thank you for being willing to go on this journey with me uh one dollar for patreon a month will give you the shout out just like this at the end of every video uh five dollars and more will give you early access to things that i'm trying to push out on the youtube before they go live um if in case i record anything in advance and youtube is scheduling so thank you thank you hey if you did like this video please do press that like button maybe leave me a comment let me know what you think what else you'd like to see what we could have done better how you solve this etc if you're willing to subscribe and if you really want to support me check me out on patreon thanks again guys see you in a later video