Exploiting phar stream wrapper
There are a few protocols available like “PHAR” Recently I completed a HackTheBox machine and there is a vulnerability of phar with LFI (Local File Inclusion). Here I just want to replicate it using code and explain how it works.
What is the PHAR protocol method?
The PHAR is known as the PHP Archive protocol method it is used to package a collection of PHP files into a single archive file. PHAR is similar to ZIP or JAR files but is specifically designed for PHP applications. The beauty of PHAR it can read files inside a PHAR archive that are also stored in a ZIP-like format.
Replicating the Vulnerability
Here is the code of LFI code that can be used to call the filename with page as GET parameter
<?php
// index.php
$page = $_GET['page'];
if($page == "") {
include_once 'welcome.php';
}
include_once $page;
?><!-- welcome.php -->
<h1>Welcome to our website</h1>The full code can be found in the above GitHub repository. There is a folder called uploads and inside the folder is a file called exploit.zip contains a PHP file, we will use it to check how we can read the PHP file from the exploit.zip
To be fair it’s pretty straightforward if you look at the index.php it gets the file name from the page once you supply the value it loads the file using include_once and shows on the page.
Now we can use the phar:// protocol to include our desired zip file to read inside the zip file. As I have already explained PHAR can read inside zip contains file.
Now let’s call the exploit.zip from the uploads folder:
https://workspace.app.github.dev/?page=phar://uploads/exploit.zip/exploit.phpWhen you browse the page looks for the file and once it is found using the PHAR we can access the zip contains like archive.zip/filename.ext or archive.phar/filename.ext
You can follow up on the references to read more about the PHAR exploiting I just explained the basics of it how it works and how simply it can be exploited through the LFI vulnerability.
