Advanced PHP Deserialization - Phar Files

Previous Video: Intro to PHP Deserialization -    • Intro to PHP Deserialization / Object Inje...   00:27 - Little bit of history about PHP Serialization 02:13 - Why is uploading Phar Files different than normal file upload vulns? 02:42 - What are Phar Files? 03:38 - Prevention by disabling the phar stream wrapper 04:00 - Going over the PHP Upload script created for this video 06:15 - Reviewing a PHP Script to generate malicious PHAR Files 07:20 - Setting our PHP Config to allow PHAR to operate in Read/Write mode 08:00 - Showing we can control the beginning bytes of the PHAR File to trick magic byte checks 08:40 - Copying the logging class from the intro to deserialization video into our upload script 09:35 - Adding the PHP Object/POP Chain to our PHAR Generation Script 11:30 - Starting a PHP Webserver so we can upload our image 12:20 - Explaining why the existing image upload script, isn't vulnerable. 13:00 - Creating a seperate script which performs the file operation unlink() against user input 14:45 - Trying to trigger this vulnerability via Curl (doesn't work yet, forgot to include our PHP Class) 16:00 - Adding the PHP Object to our script 17:17 - Begin of adding a phar file to a legitimate image 19:00 - Modifying our PHAR File to also be a valid image 20:12 - Triggering the PHAR Unserialize with our image, but this time with a different file operation (md5_file) 21:50 - Mentioning PHPGGC which is handy to utilize with this exploit 22:13 - Showing how to unregister PHP Stream wrappers to prevent this attack