Overview
Explore a comprehensive conference talk on PHP unserialization vulnerabilities, focusing on previously unidentified Remote Code Execution (RCE) exploits in widely-used open source PHP web applications and libraries. Delve into the intricacies of PHP (un)serialization, stream wrappers, and the Phar file format. Learn about basic attack methodologies, vulnerability identification techniques, and examine real-world case studies involving WordPress and TCPDF. Gain insights into defense strategies and key takeaways to enhance your understanding of these critical security issues in PHP development.
Syllabus
Intro
What is PHP (un)serialization?
Introduction
Stream Wrappers
Basic Attack Methodology
Difference from "unserialize()"
Phar File Format
Phar/Tar File Format
Quick Polyglot Demo
Phar Planting
Identifying Vulnerabilities
PHPGGC / PHARGGC Payloads
Case Studies
Case Study B - Wordpress - Payload
Case Study C-TCPDF (via Contao)
Defence
Take aways
Taught by
Black Hat