Today I will be sharing on Serial: 1 from vulnhub. For my blog, I will only focus on understanding the source code, and the PHP Serialization/Deserialization vulnerability. You may download the box here:
Setting up
Setting this up is slightly different. If you are using VMware:
- Select custom configuration
- Select Install OS later
- Version = Linux Debian 6
- At the menu to select a disk -> Use an existing virtual disk and specify the vmdk file downloaded from the vulnhub link
Real work
From the backup directory, we manage to find the source code of the web server. The directory includes 3 files:
- index.php
- log.class.php
- user.class.php
First, some things to fix in log.class.php:
- Correct the function name __construct (initial was __costruct)
- Remove the $ sign before type_log
Reminder to self from past lessons: TRACE USER INPUT!!! So lets start with that!
Index.php:
- checks for $_COOKIE[‘user’] which is controlled by user
- if set we will unserialize the cookie!!! (probably can hijack the cookie)
- This file is including “user.class.php” so lets take a look at it
User.class.php:
- When we create a new User, __construct is called, User->name is setted amd a new welcome object is created.
- When we exit the script, __destruct is called. Calls welcome object -> handler function and echos $name
Lets test our understanding by creating a new user. We should be expecting output of the user name on the browser!
To create the serialized user, add these lines of codes below the script of user.class.php which creates a user “ditt0”.
$obj = new User("ditt0");$objSerial = serialize($obj);echo("\r\n");echo(base64_encode($objSerial));echo("\r\n");
As expected ditt0 is output on the browser.
User.class.php also includes log.class.php.
This log class has a vulnerable function in handler. It is calling
include($this->type_log).
Basically if we include(“/etc/passwd”), it will print the contents of the file!
So how do we trigger the handler function in the log class object?
I notice the similarity in the welcome class and log class. In the welcome class, there is a handler function as well. And this is called when the User class object is destructed. Therefore instead of creating a welcome object when initializing the User, lets create a log class object instead! We also pass in the variable $name when initializing the log class.
And after we pass in this cookie, tadah! We can see the contents of /etc/passwd from the victim.
