5.1.10. Phar¶
5.1.10.1. Introduction¶
Phar(PHP Archive)is a packaging format that puts PHP code files and other resources into a single file to enable distribution of applications and libraries.
After security researcher Sam Thomas from Secarma proposed the post-exploitation method at Black Hat 2018, it began to receive widespread attention.
Phar can be used because Phar stores user-defined meta-data in serialized form, and when it is opened in the form of a stream, it will be automatically deserialized, thereby triggering the corresponding attack payload.
5.1.10.2. Phar file structure¶
Phar consists of four parts, namely stub
/ manifest
/ file content / signature. The stub requires __HALT_COMPILER();
this call to be in the PHP code.
The manifest contains information such as the permissions, attributes, and meta-data stored in serialized form of the compressed file. This is the core part of the attack, mainly the deserialization of the meta-data when parsing Phar.
5.1.10.3. Principle¶
The implementation of phar is php-src/ext/phar/phar.c
, mainly because the phar_parse_metadata
function is called when parsing the phar file php_var_unserialize
, which causes problems.
And php will call _php_stream_stat_path
(/main/streams/streams.c) in the process of file stream processing , and then call it indirectly phar_wrapper_stat
, so a large number of file operation functions can trigger the de-sequencing problem of phar.
Currently known part of the trigger functions are:
fileatime / filectime / filemtime /stat / fileinode / fileowner / filegroup / fileperms / file / file_get_contents / readfile / fopen / file_exists / is_dir / is_executable / is_file / is_link / is_readable / is_writeable / is_writable / parse_ini_file / unlink / copy / exif_thumbnail / exif_imagetype / imageloadfont / imagecreatefrom*** / hash_hmac_file / hash_file / hash_update_file / md5_file / sha1_file / get_meta_tags / get_headers / getimagesize / getimagesizefromstring