PHP Object Injection Revival

PHP Object Injection
REVIVAL
Claudio Salazar

View Slide

Whois
● CEO and co-founder @alertot
● Founder @spect.cl
● Open-source contributor

View Slide

Agenda
● Quick intro to serialization
● Current problem
● Gadgets' shape
● poiwer, the tool

View Slide

Disclaimer
I’m not expert in PHP!
Quick intro

View Slide

What is serialization?
● Serialization was thought to transport objects.
● It creates a string representation of any data type.
● Deserialization is the inverse process.
Quick intro

View Slide

Equation
$variable <-> unserialize(serialize($variable));
(most cases)
Quick intro

View Slide

Problem
The problem happens when a program unserializes
untrusted data.
In a normal flow, the program expects to create X but
eventually creates Z.
Quick intro

View Slide

Exploitation
It’s called PHP Object Injection (POI).
The exploitation is carried out through
Property-oriented Programming (PoP).
Quick intro

View Slide

Property-oriented Programming
● It reuses classes available in the project.
● Classes with interesting methods are the gadgets.
● Interesting methods are driven by controlled data.
● The goal is to chain objects to achieve something.
Quick intro

View Slide

Magic methods
Methods with magic powers, according to PHP
documentation.
The two more famous in POI are:
1. __destruct()
2. __wakeup()

View Slide

Example 1/5
class Writer {
public $data;
function save($filename) {
file_put_contents($filename, $this->data);
}
}
class Document {
public $filename;
public $handler;
function __destruct() { $this->handler->save($this->filename); }
}
Quick intro
Both classes are part of the app

View Slide

Example 2/5
$w = new Writer;
$w->data = 'hello';
$m = new Document;
$m->filename = '/tmp/file';
$m->handler = $w;
Quick intro

View Slide

Example 3/5
class Writer {
public $data = ‘hello’;
function save($filename) {
file_put_contents($filename, $this->data);
}
}
class Document {
public $filename = ‘/tmp/file’;
public $handler = new Writer;
function __destruct() { $this->handler->save($this->filename); }
}
Quick intro

View Slide

Example 4/5
$serializedData = serialize($m);
O:8:"Document":2:{
s:8:"filename";s:9:"/tmp/file";
s:7:"handler";O:6:"Writer":1:{
s:4:"data";s:5:"hello";
}
}
Quick intro

View Slide

Example 5/5
unserialize($serializedData);
$ cat /tmp/file
hello
Quick intro

View Slide

Clarifications
● We work only with available classes (no code
creation).
● We can set any kind of property in class.
● Distinction between data and functions.
Quick intro

View Slide

Exploitation methods
* (https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are)
Quick intro
unserialize function
phar files *

View Slide

Exploitation methods
* (https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are)
**(https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/)
Quick intro
- Serialized string
- Exploit unserialize()
function **
unserialize function
phar files *

View Slide

Current problem

View Slide

Motivation
$request = unserialize($myData);
$request = other_function($request['green']);
Problem

View Slide

General solution
Autoloading
Problem

View Slide

Solution to motivation
Find what Wordpress plugins must be present to turn
the deserialization exploitable.
Problem

View Slide

Gadget’s shape

View Slide

Example explanation
1. class ExpectedClass { carrot }
2. $instance = new ExpectedClass;
3. $my_data = serialize($instance);
4. $obj = unserialize($my_data);
5. some operation on carrot!
Gadget’s shape

View Slide

Magic methods 102
Magic methods are more than
__destruct() and __wakeup(), let’s go to
find other gems!
Magic methods

View Slide

Definition
__get() is utilized for reading data from
inaccessible properties.
Magic methods - __get()

View Slide

Use case
$obj = unserialize($my_data);
$attrib = $obj->carrot;

View Slide

Expected class
class ExpectedClass {
public $carrot = 123;
}

View Slide

Unexpected class
class UnexpectedClass {
// no $carrot public attribute
function __get($key = ‘carrot’) {
[...]
}
}

View Slide

Real-world example (1/2)
class ValidGenerator {
public function __get($attribute) {
return $this->__call($attribute, array());
}
}
* fzaninotto/faker/src/Faker/ValidGenerator.php

View Slide

Real-world example (2/2)
public function __call($name, $arguments){
do {
$res = call_user_func_array(
array($this->generator, $name), $arguments
);
[...]
} while (!call_user_func($this->validator, $res));
}
* fzaninotto/faker/src/Faker/ValidGenerator.php

View Slide

__set method
__set() is run when writing data to
inaccessible properties.
Magic methods

View Slide

Use case
$obj->carrot = 123;
Magic methods - __set()

View Slide

Expected class
public $carrot;
}

View Slide

Unexpected class
// no $carrot public attribute
function __set( key = ‘carrot’, $value = ‘123’) {
[...]
}
}

View Slide

Real-world example
class CI_Session {
public function __set($key, $value) {
$_SESSION[$key] = $value;
}
}
* CodeIgniter-3.1.9/system/libraries/Session/Session.php

View Slide

Similar magic methods
__isset($key) -> isset() or empty()
__unset($key) -> unset()
Magic methods

View Slide

__call method
__call() is triggered when invoking inaccessible
methods in an object context.
Almost the same for __callStatic().
Magic methods

View Slide

Use case
$obj->carrot();
Magic methods - __call()

View Slide

Expected class
public function carrot() {
return ‘hello’;
}
}

View Slide

Unexpected class
public function carrot() {
return ‘bye’;
}
}

View Slide

Unexpected class
// no carrot method
public function __call($key = ‘carrot’, $args) {
[...]
}
}

View Slide

Real-world example
class TraceableEventDispatcher {
public function __call($method, $arguments) {
return \call_user_func_array(
array($this->dispatcher, $method), $arguments
);
}
}
* symfony/event-dispatcher/Debug/TraceableEventDispatcher.php

View Slide

Definition
__toString() method allows a class to
decide how it will react when it is treated
like a string.
Magic methods - __toString()

View Slide

Use case
echo $obj;

View Slide

Expected value
$carrot = ‘hello’;

View Slide

Unexpected class
public function __toString() { return ‘bye’; }
}

View Slide

Sets
Sets are related gadgets given by the
use of an interface or class.

View Slide

Sets
The array set

View Slide

Scenario
The program thinks it’s working on a
normal array.
The array set

View Slide

Foundations
The ArrayAccess interface
Interface to provide accessing objects as arrays.
Also found in: ArrayObject class.
The array set

View Slide

Cases
$theArray = unserialize($my_data);
$v = $theArray[$key]; offsetGet($key)
$theArray[$key] = 1; offsetSet($key, value)
empty($theArray[$key]); offsetExists($key)
unset($theArray[$key]); offsetUnset($key)
The array set

View Slide

Caution
It’s not a real array.
The array set

View Slide

Sets
The iterator set

View Slide

Scenario
The program thinks it’s working on a
normal array.
The iterator set

View Slide

Case
$theArray = unserialize($my_data);
foreach($theArray as $element) {...}
The iterator set

View Slide

Foundations
The Traversable interface
Interface to detect if a class is traversable using foreach.
Also found in: Iterator, IteratorAggregate
interfaces and ArrayObject class.
The iterator set

View Slide

Gadget #1
class Example implements Iterator {
function current () {...}
function key () {...}
function next () {...}
function rewind () {...}
function valid () {...}
}
The iterator set

View Slide

Gadget #2
class Example implements IteratorAggregate {
function getIterator () {...}
}
The iterator set

View Slide

Real-world example: Symfony Console
class TableRows implements \IteratorAggregate {
public function getIterator() {
$g = $this->generator;
return $g();
}
}
* symfony/console/Helper/TableRows.php
The iterator set

View Slide

Sets
The json set

View Slide

Scenario
The program encodes a variable as a
JSON string.
The json set

View Slide

Case
$jsonString = json_encode($obj);
The json set

View Slide

Foundations
The JsonSerializable interface
Can customize their JSON representation when encoded with
json_encode().
The json set

View Slide

Gadget
class Example implements JsonSerializable {
function jsonSerialize () {...}
}
The json set

View Slide

Real-world example: CakePHP Mailer
class Email implements JsonSerializable, Serializable {
public function jsonSerialize() {
array_walk($array['_attachments'], function (&$item, $key) {
if (!empty($item['file'])) {
$item['data'] = $this->_readFile($item['file']);
unset($item['file']);
}
});
}
}
* cakephp/cakephp/src/Mailer/Email.php
The json set

View Slide

Additional sets
● Serializable interface & unserialize()
● new statement & __construct()
● Countable interface & count()

View Slide

Additional ideas
● Combine seen gadgets as you want
● Gadgets chaining in an array

View Slide

The tool
POIwer

View Slide

Architecture
poiwer

View Slide

Gadget hints
poiwer

View Slide

Exploitation
poiwer

View Slide

Download software to analysis
poiwer

View Slide

Editor
● Focused on gadget chains building
● Uses the same PHP parser as actual editors
● Creates phpggc-ish gadgets
poiwer

View Slide

Video time
poiwer

View Slide

Generated code 1/2
namespace GuzzleHttp\Cookie;
class SetCookie {
private $data = ['Expires' => 1, 'Discard' => 0,
'Data' => "injection"];
public function __construct($data) {
$this->data = $data;
}
}
poiwer

View Slide

Generated code 2/2
class CookieJar {
private $cookies = [new SetCookie];
public function __construct() { }
}
class FileCookieJar extends CookieJar {
private $filename = "injection";
public function __construct($filename) {
$this->filename = $filename;
}
}
poiwer

View Slide

github.com/alertot/poiwer

View Slide

PHP Object Injection Revival

PHP Object Injection Revival

alertot

More Decks by alertot

Other Decks in Technology

Featured

Transcript