FirstBlood-#728Remote Command Execution via deserialization by uploading phar file
This issue was discovered on FirstBlood v2

On 2021-10-27, neolex Level 2 reported:


This is possible for an attacker to get remote code execution by uploading a phar file via the endpoint. and then trigger the deserialization and get RCE using a phar:// uri on

Step to reproduce


Remote code execution, An attacker can completely takover the server and run a bash shell inside.


Endpoint: /api/checkproof.php

Parameter: proof

Payload: phar:///app/firstblood/upload/89a7a1262c04e7f6800f064ee9fc6108bf5971cf.jpg

FirstBlood ID: 34
Vulnerability Type: Deserialization

This endpoint calls filesize() on the path provided in the 'proof' param with no filtering or sanitisation. By adding the phar:// stream handler to the path, an attacker can force a previously uploaded file to be sent through deserialisation. Coupled with the fact that a gadget-chain vulnerable version of monolog is being used, this allows for RCE.