BugBountyHunter

Hi mate,

After a bit help on the issue and looking at a previously disclosed hackerone report i was finally able to get the phar deserialization to remote code execution via the endpoint /vaccination-manager/pub/upload-vaccination-proof.php using phpggc we can create a jpg serialized payload to embed into a legitimate jpg image and upload this. Then using the proof= parameter on the endpoint /api/checkproof.php? which is checking that a file exists we can use phar:// to deserialize our payload and execute our code.

(This is my current understanding of this, which may not be entirely correct)

Impact:

Insecure Deserialization to Remote Code Execution. Remote code execution allows a attacker to execute malicious code on the target server with the permissions of the current user (usually www-data).

Steps to Reproduce:

• Get phpggc from Github
• Get a regular jpg image (I used barker-logo.jpg)
• Generate the serialized payload using the following: ./phpggc -pj barker_logo.jpg -o /tmp/rce.jpg monolog/rce1 system id

We can also verify our payload embedded inside the image using xxd and file commands

Now to continue.

• Open Burpsuite and make sure "Intercept is off"
• Visit the endpoint /vaccination-manager/pub/upload-vaccination-proof.php and Select your Image rce.jpg and enter a email and click "Upload"

• In burpsuite Proxy > HTTP history right click the recent GET request to the endpoint /api/checkproof.php?proof=/app/firstblood/upload/blob.jpg and click "Send to Repeater"
• Viewing the request in repeater append phar:// to the enpoint /app/firstblood/upload/blob.jpg and click "Send".

You should now receive a reponse showing the current id of the user.

Best Regards,

Amec0e.

In Collaboration with thebinarybot