phar:// deserialization
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Phar files (PHP Archive) files contain meta data in serialized format, so, when parsed, this metadata is deserialized and you can try to abuse a deserialization vulnerability inside the PHP code.
The best thing about this characteristic is that this deserialization will occur even using PHP functions that do not eval PHP code like file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize().
So, imagine a situation where you can make a PHP web get the size of an arbitrary file an arbitrary file using the phar://
protocol, and inside the code you find a class similar to the following one:
You can create a phar file that when loaded will abuse this class to execute arbitrary commands with something like:
Note how the magic bytes of JPG (\xff\xd8\xff
) are added at the beginning of the phar file to bypass possible file uploads restrictions.
Compile the test.phar
file with:
And execute the whoami
command abusing the vulnerable code with:
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at today, and start earning bounties up to $100,000!
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at today, and start earning bounties up to $100,000!
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.