About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

What is Phar Deserialization - 127

Johnannes Dahse at RIPSTechPosted 6 Years Ago
  • It is very rare that an entirely new avenue of exploitation is found! This explains this new technique!
  • PHP have URL style wrappers, such as zlib, php and so on. The issue relies on being used for exploitation is phar://.
  • phar contains metadata in a serialized format.
  • If a phar object is passed into the unserialized function, it can potentially be exploited by abusing class destructors, constructors or wakeups.
  • The steps for exploitation:
    1. Craft a phar file onto the server. But, this can be done in a JPG too.
    2. This can be trigged within any file operation, including file_exists, filesize or other operations.
    3. Using the constructor, destructor or wakeup call, do some operation.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed