PHP Object Injection Revival

Presented at ekoparty 14 (2018), Sept. 27, 2018, 2:40 p.m. (50 minutes)

If you do some research about PHP Object Injections, you´ll find a great number of articles with ideal exploiting conditions, but truth is a bit different. A scarcity of gadgets in the most famous projects makes serialization vulnerabilities unexploitable. However, the lack of gadgets is not the main problem, but that they have to be found. The mission is to link the dots so as to make vulnerability exploitable once again, to get used to the new conditions and get the greatest reward: RCE. This talk begins with a brief introduction that details the vulnerability arguments, to discuss current exploitation problems later. As a solution, an open source framework, called poiwer is presented. This provides the following features: Automatic exploitation linking gadgets (blind mode). Advice about well-known gadgets in third parties softwares. Detection and downloading of plugins in websites using WordPress. Magic methods extraxtion for analysis and gadgets custom elaboration.

Presenters:

• Claudio Salazar
  Claudio Salazar is Co-founder and CEO in alertot (StartupChile Seed G18), a security startup that offers an early vulnerability notification service. Previously, he worked for five years as a Software engineer at Scrapinghub. Experienced in security since 2003, he founded SPECT Research,where he conducts research and consultancy. He has participated as speaker in 9punto5, OWASP Latam Tour, 8dot8, StarsConf and local meetups.

Links:

• http://ekoparty.org/charla-php-object-injection-revival.php
• https://infocon.org/cons/Ekoparty/Ekoparty 14 2018/PHP Object Injection Revival Claudio Salazar.mp4

Similar Presentations:

• DEF CON 16 (2008) / Xploiting Google Gadgets: Gmalware and Beyond
• Black Hat USA 2012 / We have you by the Gadgets
• DEF CON 20 (2012) / We Have You by the Gadgets