PHP Deserialization Exploit attempt
I came across the following deserialization exploit attempt not in a honeypot but in the log for this (isc.sans.edu) webserver:
/!php/object+"O:24:\\"GuzzleHttp\\\\Psr7\\\\FnStream\\":2:{s:33:\\"\\0GuzzleHttp\\\\Psr7\\\\FnStream\\0methods\\";a:1:{s:5:\\"close\\";s:7:\\"phpinfo\\";}s:9:\\"_fn_close\\";s:7:\\"phpinfo\\";}"/recentdomains/,
People usually think about deserialization vulnerabilities in Java (and maybe .Net). But code written in any object-oriented language may be susceptible to deserialization vulnerabilities.
In some ways, the PHP example is even more "transparent" than some of the past Java examples I have seen. Deserialization vulnerabilities are a bit weird in that they just take advantage of a feature in how objects are instantiated. Software may exchange arbitrary objects serialized as a string. As the object is deserialized, its constructor is called, which may execute arbitrary code delivered with the object. Think about it as calling "eval" on the string received. [owasp]
This can be "ok", if only a limited set of objects are deserialized or if the object is received from a trusted source and properly digitally signed to avoid tampering with the object in transit. But the process quickly goes wrong if arbitrary objects are deserialized from arbitrary sources.
In this case, the attacker can find a "Gadget," which is an object that allows code execution, and feed it to the software using the "correct" parameters. In the case above, the gadget is "GuzzleHttp." There is nothing "wrong" with GuzzleHttp. GuzzleHttp is a PHP library used to create HTTP requests. Similar to the standard library "curl," it abstracts some lower-level features. GuzzleHttp is often installed as part of other packages (e.g. Laravel) if you use extensions that connect to HTTP APIs. So this is not a vulnerability in GuzzleHttp, but the attacker is looking for code that accepts GuzzleHttp objects and instantiates them (I do not think this is ever a good idea). [guzzle]
I am not sure what vulnerable software the exploit above looks for. But if attempts to execute phpinfo. This exploit will only flag vulnerable pages to come back and exploit later. Let me know if you can identify it (email jullrich\@/sans.edu).
GuzzleHttp is a well-known gadget; you can find it listed in a GitHub repository of well-known gadget chains for various vulnerabilities. [gadgets]
[owasp] https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
[guzzle] https://docs.guzzlephp.org/en/stable/
[gadgets] https://github.com/ambionics/phpggc
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago