API to Shell
This exercise covers the exploitation of PHP type confusion to bypass a signature and the exploitation of unserialize.
This course details the process of exploiting two specific vulnerabilities in a PHP application: a weakness in a signature check due to type confusion and a PHP unserialize call. Initially, you'll learn how to manipulate the signature mechanism to gain unauthorized access to files. This will involve understanding PHP's loose and strict comparison behaviors and how they can be exploited. Once you retrieve the source code of the application, you will identify a call to unserialize and learn how to exploit it by crafting a malicious serialized object.
In the second part of the course, you will discover how to use the unserialize vulnerability to achieve code execution. This involves understanding how PHP handles serialized objects and identifying trampoline functions like __wakeup(), __destruct(), and __toString() that can be used for exploitation. By crafting a serialized object with a malicious payload, you will be able to create a PHP file on the server and execute arbitrary code, demonstrating the full exploitation chain from initial vulnerability discovery to final payload execution.