Secrets about Gadget chainsš¤«
Yo Yo Homies,Iām back with another post so do you remember our last post we talked about Insecure deserializion and PHP object injection(yeah i know that POI is a type of Insecure ā¦) so lets continue this What is serialization? simply serialization is a process of convert object
Mar 10, 2024 3 mins
TOC
Yo Yo Homies,Iām back with another post
so do you remember our last post we talked about Insecure deserializion and PHP object injection(yeah i know that POI is a type of Insecure ā¦) so lets continue this
What is serialization?
simply serialization is a process of convert object into text format that can be restored
so whats the problem of here? let me explain
What is insecure deserialization?
when a web site or some application try to restore the serialized object into the its original object it can be dangerous.but how it can be dangerous.so when a serialized object restore to the original object it rebuilds that object with data that we give.so if attacker can give malicious data to our serialized object.thatās a Insecure deserialization
What is a Gadget chain?
So Gadget chain is a sequence of function calls or code snippets that crafted maliciously.Hmmm if you donāt understand it try this example
imaging this is cookie data that contains user data but its serialized
O:6:"Person":2:{s:4:"name";s:5:"Alice";s:3:"age";i:25;}but how can I exploit.if i edit this object for access another user like this
O:6:"Person":2:{s:4:"name";s:5:"administrator";s:3:"age";i:25;}its return this
but why?so if we need to understand it,we need to understand about serialized data format
ok i think that you understood this
now we can see the problem there
O:6:"Person":2:{s:4:"name";s:5:"administrator";s:3:"age";i:25;}
ānamedā propertyās length is wrong because it has chars 13.so that why it return error.if we correct it like this
O:6:"Person":2:{s:4:"name";s:13:"administrator";s:3:"age";i:25;}
it wonāt return any error.so like do we need to count and make this so hard to exploit.Naah we wonāt.thatās why we use phpggc().
so as I explained what is a Gadget chains.now we are gonna make a our own gadget chainš²š²
Creating our own Gadget Chainš
so we know that the name of the object is Person and there are two properties called name and age.so im gonna write a php code
<?php
//creating a class
class Person
{
//creating properties
public $name;
public $age;
public function __construct($name,$age)
{
//Takes two arguments, $name and $age, and assigns them to the corresponding properties
$this->name = $name;
$this->age = $age;
}
}
//make the object
$person = new Person("administrator","16");
//get the malicious serialized object
echo serialize($person);
?>i think you got it.simply i just rebuild the objectšlike you can see what is the serialize data really says.ok if there is big object what should we do?in that case we can use automated gadget chain develop tools such as ysoserial,phpggc
Okay ima gonna of.Because now itās 03:00
echo "GGS!Ima off";
GGS!Ima off
