About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

X-Cart 5 - RCE via arbitrary File Write- 238

NickstaDBPosted 5 Years Ago
  • While looking at the cookies for the PHP site, the author noticed that one of them was in a standard PHP serialized format. This looks like an interesting start!
  • PHP serialization is an easy way to turn a string into an actual PHP variable. The main issue with this is that constructors can be called once the PHP variable is started!
  • So, if arbitrary data can be deserialized (which was in the cookie) it may be possible to create an object (with a constructor/destructor) that does malicious actions.
  • PHPGGC can be used to find gadgets (for deserialization) within code. One of the gadgets allowed for an arbitrary write of a JSON file to an arbitrary location. By adding this to a public location (with some PHP code), RCE was possible.
  • There was an issue though: strip_tags() was being ran on the file name, which removes HTML tags and nullbytes. However, the author had an interesting way around this!
  • Deserialization has multiple formats for strings, luckily. By converting the string to another format, it was possible to use strings again.
  • Overall, good find and super impressive exploitation!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed