Intro to PHP Deserialization / Object Injection

Published: 21 December 2019
on channel: IppSec

60,452

1.4k

00:50 - Background information, showing variables are point in time
03:40 - Creating a PHP Class and Object
05:40 - Serializing the Object and going over the format
07:40 - Converting the script to accept a PHP Object via WebRequest
09:20 - Explaining PHP Desesrialization Gadgets
10:05 - Creating Attack.php in order to quickly generate PHP Objects
11:30 - Creating exploit.sh which will just send our malicious object to the webserver
12:45 - Going over PHP Magic Methods
13:15 - Adding the __toString class that we can create a gadget to get to in order to read files
15:00 - Adding the new class to our attack script and reading /etc/passwd
17:40 - Demonstrating "Class Path" by creating an __destruct() method in another php file and including it
19:00 - Adding the LogFile to our class path and using it to drop a file
20:00 - Didn't work! Our script errored and PHP never destroyed our object so code didn't run
21:00 - Moving the LogFile gadget to our isAdmin check, which works
21:35 - Demonstrating a way to do Fast Destruct, to immediately destroy the object... I hope I'm right, this may be wrong read PHPGGC Source to see how it works
25:14 - Showing if an function is called from another functions magic method, we can craft a gadget to get to it
25:41 - Adding pwned function to attack. This is prior to us having a magic method call pwned, just to demonstrate you can't call any function.
27:20 - Making ReadFile() call pwn when destroyed

Watch video Intro to PHP Deserialization / Object Injection online, duration hours minute second in high quality that is uploaded to the channel IppSec 21 December 2019. Share the link to the video on social media so that your subscribers and friends will also watch this video. This video clip has been viewed 60,452 times and liked it 1.4 thousand visitors.

443