Stars: 239
Forks: 22
Pull Requests: 0
Issues: 0
Watchers: 9
Last Updated: 2020-07-05 01:06:27
Research about the Zend Engine
License:
Languages: PHP
Welcome to the PHP Internals Hub - If you ever wondered about how PHP works internally and how you can exploit it: this is where you should start.
In this repo, I show basic and advanced exploitation in PHP (some of the bugs reported by me). In every "chapter", you'll learn a little bit more about PHP Internals from an infosec perspective.
IMPORTANT: This repository does not cover explanations about memory corruption bugs. You have to be somewhat familiar with bugs like Format String attacks and Basic Heap Exploitation.
The good news are: you also don't have to be an expert. This repo is intended for hackers who solve a lot of crackme challenges but want to step-up their game to a "real-world" binary pwn.
I listed out all the interesting bugs in this repo: from the easiest level all the way to a certified wizard
Level | CVE / Bug | Bug / Description |
---|---|---|
👶 Easy | Bug #79383 |
ZipArchive::extractTo() extracts files with 777 permissions by default |
👶 Easy | CVE-2020-7066 |
Nullbyte poisoning in get_headers() |
🧐 Medium | CVE-2020-7067 |
Out of Bounds Read in urldecode() |
🧗 Intermed. | /MapServer-CVEs/CVE-2020-10872 |
Classic Stack-Based Buffer Overflow (Not in PHP, but in a PHP extension) |
🧗 Intermed. | /MapServer-CVEs/CVE-2020-10873 |
Format String Vulnerabillity (Not in PHP, but in a PHP extension) |
💻 Hacker | CVE-2018-12882 |
Introduction to UAF & basic structures in PHP |
⚔️ Ninja | CVE-2016-3132 |
Double-Free vulnerability: In this chapter, you will learn more about the Zend Allocator and how to practically takeover the RIP register |
✨ Wizard | Bug #76047 |
In the final chapter, we will see a 0day exploit that was released around Feb 2020 and take a deep-dive into the techniques that the exploit author used in order to trigger a call to system() |
Disclaimer: This repository is for educational purposes only. Opinions or points of view expressed in this repository represent the view of the writer, and does not necessarily represent the official position or policies of the PHP project maintainers. Nothing in this repository constitutes legal advice. All the bugs presented in this repository were fixed.
Learning PHP Internals has a lot more than just remote exploits:
unserialize()
, mail()
, get_headers()
and more. And in order to really understand them - you'll have to dig into PHP Internals.disable_functions
and open_basedir
.ready to pwn?
I didn't include the infamous unserialize()
here because a lot of people did it before me & there's bunch of literature about it. The focus here is more about the runtime of PHP & the Zend Engine. Moreover, if you want to understand unserialize()
you'll have to go through the "beginner's phase" and this is exactly what this repo is about: by learning the bugs above you'll find yourself learning about how variables and objects are stored internally and how the memory in PHP is managed (which is super important if you're trying to pwn unserialize()
).
Great research material about unserialize:
You can find me at @0x_shaq