8Nis
Phar file deserialization in PHP < 8.0
TLDR:
- I want to reproduce the RCE from phar file deserialization described in GitHub/advisory/97m3.
- I fabricate an
htmlfile that includes a malicioussvgfile in its<img>tag. - Adding debug prints, I make sure I hit
file_existswith my phar filename.
My question:
- how can I upload the actual phar file (whose name I control) ?
- What I tried:
- adding another
<img>tag with thesrcbeing the phar file - sending the phar file as another attachment alongside the
htmlfile
- adding another
All the details for my experiment are included in my public GitHub repo:
$ git clone https://github.com/OrenGitHub/dhscanner.examples.git
$ cd dhscanner.examples/cve_2023_50262/example_00
$ cat README.md
I follow the instructions in the README.md shown below for completeness:
$ docker build --tag host.ghsa_97m3 --file Dockerfile .
$ docker run -p 8002:8000 -d -t --name ghsa_97m3 host.ghsa_97m3
$ Set-Variable -Name X -Value (curl.exe -c cookiejar -X GET http://127.0.0.1:8002/token)
$ echo $X
kCnrA9SNT7GtFW1jvUQAm3Om9NsmECs487Zd8hhD # <--- good !
$ curl.exe -b cookiejar --header "X-CSRF-TOKEN:$X" -X POST http://127.0.0.1:8002/test
999 666 MMM # <--- good !
$ curl.exe -b cookiejar --header "X-CSRF-TOKEN:$X" -F "source=@vuln.html" -X POST http://127.0.0.1:8002/ghsa_97m3
>>> calling file_exists(/frontend/vendor/dompdf/dompdf/lib/fonts/Times-Roman.afm)
>>> calling file_exists(./Times-Roman.afm)
>>> calling file_exists(phar://baz.phar/test.ufm) # <--- a call to file_exists with phar file - good !
>>> calling file_exists(phar://baz.phar/test.ufm) # <--- a call to file_exists with phar file - good !
Unable to stream pdf: headers already sent
So the only missing element is uploading the baz.phar file somehow ... any help is very much appreciated !
