PHP phar://

This exercise covers how the PHP phar:// handler can be used to gain code execution using PHP unserialize.

< 1 Hr.
Brown Badge


In this exercise, we delve into PHP handlers `file://` and `phar://`. While `file://` is commonly known across multiple programming languages, `phar://` is specific to PHP. This lab teaches you how to use `file_get_contents()` to retrieve files and leak the source code of an application hosted in `/var/www`. By analyzing the source code, you will identify exploitable gadgets, especially focusing on the `__destruct()` function.

The primary goal is to create a malicious PHP archive using the `phar://` handler, which will leverage the `__destruct()` function to gain code execution. The lab provides a step-by-step guide on how to build a phar file, upload it to the server, and execute it to achieve the desired exploit. This hands-on approach will solidify your understanding of PHP deserialization vulnerabilities and their potential impact.

Want to learn more? Get started with PentesterLab Pro! GO PRO