Advanced PHP Deserialization - Phar Files
Previous Video: Intro to PHP Deserialization - https://youtu.be/HaW15aMzBUM
00:27 - Little bit of history about PHP Serialization
02:13 - Why is uploading Phar Files different than normal file upload vulns?
02:42 - What are Phar Files?
03:38 - Prevention by disabling the phar stream wrapper
04:00 - Going over the PHP Upload script created for this video
06:15 - Reviewing a PHP Script to generate malicious PHAR Files
07:20 - Setting our PHP Config to allow PHAR to operate in Read/Write mode
08:00 - Showing we can control the beginning bytes of the PHAR File to trick magic byte checks
08:40 - Copying the logging class from the intro to deserialization video into our upload script
09:35 - Adding the PHP Object/POP Chain to our PHAR Generation Script
11:30 - Starting a PHP Webserver so we can upload our image
12:20 - Explaining why the existing image upload script, isn't vulnerable.
13:00 - Creating a seperate script which performs the file operation unlink() against user input
14:45 - Trying to trigger this vulnerability via Curl (doesn't work yet, forgot to include our PHP Class)
16:00 - Adding the PHP Object to our script
17:17 - Begin of adding a phar file to a legitimate image
19:00 - Modifying our PHAR File to also be a valid image
20:12 - Triggering the PHAR Unserialize with our image, but this time with a different file operation (md5_file)
21:50 - Mentioning PHPGGC which is handy to utilize with this exploit
22:13 - Showing how to unregister PHP Stream wrappers to prevent this attack