среда, 9 декабря 2015 г.

One more useful PHP class for unserialize() bugs

In a hurry to share PHP common class for deserialization vulnerabilities.
It's FileCookieJar class of Guzzle project.

Look at its destructor https://github.com/guzzle/guzzle/blob/master/src/Cookie/FileCookieJar.php#L37-L61:
<?
    public function __destruct()
    {
        $this->save($this->filename);
    }
    /**
     * Saves the cookies to a file.
     *
     * @param string $filename File to save
     * @throws \RuntimeException if the file cannot be found or created
     */
    public function save($filename)
    {
        $json = [];
        foreach ($this as $cookie) {
            /** @var SetCookie $cookie */
            if (CookieJar::shouldPersist($cookie, $this->storeSessionCookies)) {
                $json[] = $cookie->toArray();
            }
        }
        if (false === file_put_contents($filename, json_encode($json))) {
            throw new \RuntimeException("Unable to save file {$filename}");
        }
    }
?>
Who can construct valid exploit without hints? ;)
It's easy.