GitBook: [#3349] No subject

This commit is contained in:
CPol 2022-08-04 10:55:21 +00:00 committed by gitbook-bot
parent a8b371da13
commit b5f741ec8d
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
6 changed files with 23 additions and 2 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 36 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 47 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 19 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 46 KiB

View file

@ -121,7 +121,28 @@ In PHP ≤ 5.3.22 and ≤ 5.4.12, the constructor of SoapClient was **vulnerable
Checking the **dependencies** of the **project** you are trying to exploit you could find **new classes** that could be **abused to execute commands** creating a new object. In this case, **Imagick** was found to be useful for that purpose.
### VID parser
The VID parser allows to write arbitrary content in an arbitrary path inside the filesystem, which would allow an attacker to write a PHPshell in an accessible folder from the web page and get RCE.
![](<../../../.gitbook/assets/image (157).png>)
#### VID Parser + FIle Upload
When a file is uploaded to PHP it's temporary stored in `/tmp/phpXXXXXX` . The VID parser of Imagick with the **msl** protocol allows to **specify wildcards in the file paths** (so the temporary uploaded file can be easily accessed) and **copy it to any arbitrary location**.\
This is another way to get arbitrary file writing inside the filesystem:
![](<../../../.gitbook/assets/image (159).png>)
### PHP Crash + Brute Force
The [**original writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) explained another way to get RCE by **uploading files with specific content** and making the **server crash before it deletes** that file and then **bruteforcing the name** of the temporary file until **Imagick executes arbitrary PHP code**.
However, apparently the **crash trick** discovered only **worked in an old version of ImageMagick**.
## References
* [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
<details>

View file

@ -143,7 +143,7 @@ GitLab uses GCP buckets to store static content. **GCP Buckets** support the **h
Ruby on Rails applications are often deployed alongside the Rack middleware. The Rack code below takes the value of the **`x-forwarded-scheme` value and uses it as the scheme of the request**.
![](<../.gitbook/assets/image (159).png>)
![](<../.gitbook/assets/image (159) (2).png>)
Sending the `x-forwarded-scheme: http` header would result into a 301 redirect to the same location which will cause a DoS over that resource as in this example:
@ -151,7 +151,7 @@ Sending the `x-forwarded-scheme: http` header would result into a 301 redirect t
The application might also support the header `X-forwarded-host` and redirect the user to that host, making possible to load javascripts files from the attacker server:
![](<../.gitbook/assets/image (157).png>)
![](<../.gitbook/assets/image (157) (2).png>)
### 403 and Storage Buckets