Thank you, your last video are really cool ! I hope you will do more like that ! I just have a question : in a black box testing, is there a way to know that there is a vulnerability or do you just try it and see if it works ?
The HackTheBox videos sometimes show that -- You can normally identify it by ways applications error or don't error. But yes sometimes you just have to try it.
@@khneo Probably through the user of other streamwrappers on LFI like the php filter to base64 encode and the ability to upload files... With knowing those two things, that's enough for me to know to try this.
Thanks heaps for this, very interesting. I am just wondering, how are the methods "unlink", "md5sum" triggering the destruct magic method of the object you're creating? Is is apart of the phar:// read processing? When is the object unset? When is it possible to use phar://, only with methods that involve reading data?
Any file operation. Think of the PHAR as a ZIP File. When it goes into the ZIP File it has to unpack it and during the unpack is when the unserialize comes about. That's why i was surprised when i had code execution with unlink(phar://uploads/pharfile) -- Thought i would of had to do like phar://uploads/pharfile/test.txt to tell unlink to go inside the phar.
@@ippsec Thanks for your answer! So in the process of unpacking the phar it unserialises the injected object, then later unsets it, triggering the destruct method?
@@supercoolgames8218 I believe you are correct -- The object is destructed when the script completes as part of cleanup. The unlink() has nothing to do with the destruct. There's ways to trigger a fast destruct to force the object to destruct in memory before continuing in the script. I cover that slightly in the introduction video.
Its been 2yrs of this video,learned a lot from it. But it somehow doesn't work with php 8.1,it works good with php 7.4 . I think they changed something in new update so it doesn't work. I spend to find why it is not working (I was working with php8.1),then ran it with php7.4 and voila,magic happened. Thanks for such quality learning meterial...
I love when you do videos that go into specific subjects like this. 👍
Can I get a IppSec-Tshirt with the quote: "I expected code execution...#sadface" ?? xD That tone of voice was just perfect. ;D
Thank you for including a way to eliminate this vulnerability!
Amazing video.. i would like if you could continue this series..
Great content 👍. All your videos are awsome. And really thanks for your support 👍
You're My Inspiration ♥ :)
Thank you, your last video are really cool ! I hope you will do more like that !
I just have a question : in a black box testing, is there a way to know that there is a vulnerability or do you just try it and see if it works ?
The HackTheBox videos sometimes show that -- You can normally identify it by ways applications error or don't error. But yes sometimes you just have to try it.
@@ippsec phar deserialization is identified by errors usually then ? Thanks
@@khneo Probably through the user of other streamwrappers on LFI like the php filter to base64 encode and the ability to upload files... With knowing those two things, that's enough for me to know to try this.
@@ippsec oh ok ! Yes it makes sense, thanks again for your amazing content :) Happy holidays/Christmas !
You can't do this if you don't know the name of the class that's already present on the server, right?
Yes, you need the source code to perform any de-serialization attacks.
Can you teach me step by step for ethical hacking or pentesting
Thanks heaps for this, very interesting.
I am just wondering, how are the methods "unlink", "md5sum" triggering the destruct magic method of the object you're creating? Is is apart of the phar:// read processing? When is the object unset?
When is it possible to use phar://, only with methods that involve reading data?
Any file operation. Think of the PHAR as a ZIP File. When it goes into the ZIP File it has to unpack it and during the unpack is when the unserialize comes about. That's why i was surprised when i had code execution with unlink(phar://uploads/pharfile) -- Thought i would of had to do like phar://uploads/pharfile/test.txt to tell unlink to go inside the phar.
@@ippsec Thanks for your answer!
So in the process of unpacking the phar it unserialises the injected object, then later unsets it, triggering the destruct method?
@@supercoolgames8218 I believe you are correct -- The object is destructed when the script completes as part of cleanup. The unlink() has nothing to do with the destruct. There's ways to trigger a fast destruct to force the object to destruct in memory before continuing in the script. I cover that slightly in the introduction video.
What application do you use to edit phar file
Notepad
Hi. Would be great to have a little bit more volume on the audio. Otherwise, really great.
when will you do smasher2? is there going to be unintended routes in the video
@ippsec I was wondering the same thing
I’ve said it on Twitter a bit and i think in the last videos comments - I am off work a few days after Christmas. I’ll probably do it then.
@@ippsec okay thanks for responding
@@ippsec Bless you man. Hope you have a good Christmas.
Its been 2yrs of this video,learned a lot from it. But it somehow doesn't work with php 8.1,it works good with php 7.4 . I think they changed something in new update so it doesn't work. I spend to find why it is not working (I was working with php8.1),then ran it with php7.4 and voila,magic happened. Thanks for such quality learning meterial...