5.1.10. Phar

5.1.10.1. Introduction

Phar(PHP Archive)is a packaging format that puts PHP code files and other resources into a single file to enable distribution of applications and libraries.

After security researcher Sam Thomas from Secarma proposed the post-exploitation method at Black Hat 2018, it began to receive widespread attention.

Phar can be used because Phar stores user-defined meta-data in serialized form, and when it is opened in the form of a stream, it will be automatically deserialized, thereby triggering the corresponding attack payload.

5.1.10.2. Phar file structure

Phar consists of four parts, namely stub / manifest / file content / signature. The stub requires __HALT_COMPILER(); this call to be in the PHP code. The manifest contains information such as the permissions, attributes, and meta-data stored in serialized form of the compressed file. This is the core part of the attack, mainly the deserialization of the meta-data when parsing Phar.

5.1.10.3. Principle

The implementation of phar is php-src/ext/phar/phar.c , mainly because the phar_parse_metadata function is called when parsing the phar file php_var_unserialize, which causes problems.

And php will call _php_stream_stat_path (/main/streams/streams.c) in the process of file stream processing , and then call it indirectly phar_wrapper_stat, so a large number of file operation functions can trigger the de-sequencing problem of phar.

Currently known part of the trigger functions are:

fileatime / filectime / filemtime /stat / fileinode / fileowner / filegroup / fileperms / file / file_get_contents / readfile / fopen / file_exists / is_dir / is_executable / is_file / is_link / is_readable / is_writeable / is_writable / parse_ini_file / unlink / copy / exif_thumbnail / exif_imagetype / imageloadfont / imagecreatefrom*** / hash_hmac_file / hash_file / hash_update_file / md5_file / sha1_file / get_meta_tags / get_headers / getimagesize / getimagesizefromstring