What is Phar Deserizalition to Remote Code Execution?
Phar file also known as PHP Archive will normally contain metadata that is written in a serialized format. As a result, the bad guys can abuse the vulnerability related to deserialized that wrote inside the PHP code.
For those who are not familiar with PHP functions that have been used in the deserialization which not eval the PHP code such as file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize().
Demonstration of uploading Phar File for Remote Code Execution Attack method
The demonstration is taken from my full walkthrough of the Updown Machine
Analyze the source code of the webpage
After a while, I managed to understand that we can upload a .phar file format so that the system will be able to check whether the website is up or down
The response looks like returned a 200 status which it’s a good thing to know
The subdomain will appear something such as shown in the screenshot above.
From my analysis of the checker.php file previously, let’s download the .phar file.
When we try to inspect via burpsuite, it will look exactly like shown in the screenshot above.
It seems like all the URLs are down and I was thinking that we might need to hang the website for it to work
As a result, let’s insert a bit more of the URL so that the website hangs and opens the file on the /uploads/ directory.
On the disable_functions, there are a lot of functions, but we didn’t manage to sight one function which is proc_open
Let’s create some basic PHP script so that we can call back by using the reverse shell connection.
Therefore, let’s start our listener using pwncat-cs
For us to retrieve the reverse shell connection, we need to click the file on the uploads
Finally, we managed to obtain the reverse shell connection back to us.