You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: composr.md
+3-3
Original file line number
Diff line number
Diff line change
@@ -152,7 +152,7 @@ If we can get Composr CMS to unserialize this string and the resulting object ge
152
152
153
153
## A deeper look at Composr CMS
154
154
155
-
We will focus on the `ajax_tree_script` function in `/sources/ajax.php`. This function will run when you access `http://example.org/data/ajax_tree.php`. It is one of the functions that calls `unserialize` on user input without authentication. It starts by quickly checking if the site is in maintainance mode:
155
+
We will focus on the `ajax_tree_script` function in `/sources/ajax.php`. This function will run when you access `http://example.org/data/ajax_tree.php`. It is one of the functions that calls `unserialize` on user input without authentication. It starts by quickly checking if the site is in maintenance mode:
156
156
```php
157
157
function ajax_tree_script()
158
158
{
@@ -395,7 +395,7 @@ Now, we want this to work for PHP 7.2 and we're kinda getting desperate. Luckily
395
395
* Objects that implement the `Serializable` interface
396
396
* References
397
397
398
-
Objects that implement the `Serializable` interface contain two methods `serialize` and `unserialize`. When serializing such an object a string of the following format will be returned: `C:<number of characters in the class name>:"<class name>":<length of the output of the serialize method>:{<output of the serialize method>}`. Creating a serialized string in this format for an object of a class that doesn't implement `Serializable` will work but the deserialized object will not have any class memebers set. It is thus not very useful for our purposes but it does lead the way to a final working exploit:
398
+
Objects that implement the `Serializable` interface contain two methods `serialize` and `unserialize`. When serializing such an object a string of the following format will be returned: `C:<number of characters in the class name>:"<class name>":<length of the output of the serialize method>:{<output of the serialize method>}`. Creating a serialized string in this format for an object of a class that doesn't implement `Serializable` will work but the deserialized object will not have any class members set. It is thus not very useful for our purposes but it does lead the way to a final working exploit:
399
399
400
400
There are a few PHP classes implementing `Serializable`, the most important of which (for our purposes here) is `SplDoublyLinkedList`. This is the important part of the C code that handles serialization for `SplDoublyLinkedList`:
401
401
```c
@@ -414,7 +414,7 @@ There are a few PHP classes implementing `Serializable`, the most important of w
414
414
}
415
415
```
416
416
417
-
It shows that the elements of a `SplDoublyLinkedList` are serialized just like `serialize` would serialize them _but they are seperated by colons_. This provides us with a way to bypass the regex:
417
+
It shows that the elements of a `SplDoublyLinkedList` are serialized just like `serialize` would serialize them _but they are separated by colons_. This provides us with a way to bypass the regex:
0 commit comments