Topics

400016 - Language Sql SELECT and user controlled/language_sql_select_and_user_controlled.md
64 - Sink Javascript Axios/64_sink_javascript_axios.md
400012 - VID_INTERESTING_LANGUAGE_CRYPTO_WEAK_ALGORITHM_SHA1/400012_vid_interesting_language_crypto_weak_algorithm_sha1.md
100009 - Rule Compute Dot/rule_compute_dot.md
117 - VID_DOCUMENTATION_TODO/links_to_check.md
117 - VID_DOCUMENTATION_TODO/log.md
117 - VID_DOCUMENTATION_TODO/updates.md
117 - VID_DOCUMENTATION_TODO/idee.md
117 - VID_DOCUMENTATION_TODO/message.md
117 - VID_DOCUMENTATION_TODO/research.md
117 - VID_DOCUMENTATION_TODO/github.md
117 - VID_DOCUMENTATION_TODO/VID_DOCUMENTATION_TODO.md
117 - VID_DOCUMENTATION_TODO/scanner_rules.md
117 - VID_DOCUMENTATION_TODO/philosophy.md
117 - VID_DOCUMENTATION_TODO/raar.md
42 - Framework Javascript express/42_framework_javascript_express.md
42 - Framework Javascript express/1_simple/node_modules/ipaddr.js/README.md
42 - Framework Javascript express/1_simple/node_modules/negotiator/README.md
42 - Framework Javascript express/1_simple/node_modules/negotiator/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/ms/readme.md
42 - Framework Javascript express/1_simple/node_modules/ms/license.md
42 - Framework Javascript express/1_simple/node_modules/express/Readme.md
42 - Framework Javascript express/1_simple/node_modules/express/History.md
42 - Framework Javascript express/1_simple/node_modules/body-parser/README.md
42 - Framework Javascript express/1_simple/node_modules/body-parser/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/mime/README.md
42 - Framework Javascript express/1_simple/node_modules/mime/CHANGELOG.md
42 - Framework Javascript express/1_simple/node_modules/content-disposition/README.md
42 - Framework Javascript express/1_simple/node_modules/content-disposition/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/qs/README.md
42 - Framework Javascript express/1_simple/node_modules/qs/CHANGELOG.md
42 - Framework Javascript express/1_simple/node_modules/qs/LICENSE.md
42 - Framework Javascript express/1_simple/node_modules/iconv-lite/README.md
42 - Framework Javascript express/1_simple/node_modules/iconv-lite/Changelog.md
42 - Framework Javascript express/1_simple/node_modules/forwarded/README.md
42 - Framework Javascript express/1_simple/node_modules/forwarded/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/fresh/README.md
42 - Framework Javascript express/1_simple/node_modules/fresh/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/serve-static/README.md
42 - Framework Javascript express/1_simple/node_modules/serve-static/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/proxy-addr/README.md
42 - Framework Javascript express/1_simple/node_modules/proxy-addr/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/toidentifier/README.md
42 - Framework Javascript express/1_simple/node_modules/toidentifier/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/setprototypeof/README.md
42 - Framework Javascript express/1_simple/node_modules/cookie-signature/Readme.md
42 - Framework Javascript express/1_simple/node_modules/cookie-signature/History.md
42 - Framework Javascript express/1_simple/node_modules/accepts/README.md
42 - Framework Javascript express/1_simple/node_modules/accepts/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/finalhandler/README.md
42 - Framework Javascript express/1_simple/node_modules/finalhandler/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/vary/README.md
42 - Framework Javascript express/1_simple/node_modules/vary/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/debug/README.md
42 - Framework Javascript express/1_simple/node_modules/debug/CHANGELOG.md
42 - Framework Javascript express/1_simple/node_modules/send/README.md
42 - Framework Javascript express/1_simple/node_modules/send/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/send/node_modules/ms/readme.md
42 - Framework Javascript express/1_simple/node_modules/send/node_modules/ms/license.md
42 - Framework Javascript express/1_simple/node_modules/methods/README.md
42 - Framework Javascript express/1_simple/node_modules/methods/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/escape-html/Readme.md
42 - Framework Javascript express/1_simple/node_modules/mime-db/README.md
42 - Framework Javascript express/1_simple/node_modules/mime-db/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/safe-buffer/README.md
42 - Framework Javascript express/1_simple/node_modules/ee-first/README.md
42 - Framework Javascript express/1_simple/node_modules/safer-buffer/Porting-Buffer.md
42 - Framework Javascript express/1_simple/node_modules/safer-buffer/Readme.md
42 - Framework Javascript express/1_simple/node_modules/inherits/README.md
42 - Framework Javascript express/1_simple/node_modules/etag/README.md
42 - Framework Javascript express/1_simple/node_modules/etag/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/mime-types/README.md
42 - Framework Javascript express/1_simple/node_modules/mime-types/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/array-flatten/README.md
42 - Framework Javascript express/1_simple/node_modules/depd/Readme.md
42 - Framework Javascript express/1_simple/node_modules/depd/History.md
42 - Framework Javascript express/1_simple/node_modules/raw-body/README.md
42 - Framework Javascript express/1_simple/node_modules/raw-body/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/type-is/README.md
42 - Framework Javascript express/1_simple/node_modules/type-is/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/statuses/README.md
42 - Framework Javascript express/1_simple/node_modules/statuses/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/cookie/README.md
42 - Framework Javascript express/1_simple/node_modules/cookie/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/http-errors/README.md
42 - Framework Javascript express/1_simple/node_modules/http-errors/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/merge-descriptors/README.md
42 - Framework Javascript express/1_simple/node_modules/merge-descriptors/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/on-finished/README.md
42 - Framework Javascript express/1_simple/node_modules/on-finished/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/unpipe/README.md
42 - Framework Javascript express/1_simple/node_modules/unpipe/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/range-parser/README.md
42 - Framework Javascript express/1_simple/node_modules/range-parser/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/utils-merge/README.md
42 - Framework Javascript express/1_simple/node_modules/bytes/Readme.md
42 - Framework Javascript express/1_simple/node_modules/bytes/History.md
42 - Framework Javascript express/1_simple/node_modules/path-to-regexp/Readme.md
42 - Framework Javascript express/1_simple/node_modules/path-to-regexp/History.md
42 - Framework Javascript express/1_simple/node_modules/destroy/README.md
42 - Framework Javascript express/1_simple/node_modules/parseurl/README.md
42 - Framework Javascript express/1_simple/node_modules/parseurl/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/media-typer/README.md
42 - Framework Javascript express/1_simple/node_modules/media-typer/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/encodeurl/README.md
42 - Framework Javascript express/1_simple/node_modules/encodeurl/HISTORY.md
42 - Framework Javascript express/1_simple/node_modules/content-type/README.md
42 - Framework Javascript express/1_simple/node_modules/content-type/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/ipaddr.js/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/negotiator/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/negotiator/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/ms/readme.md
42 - Framework Javascript express/2_cookie_parser/node_modules/ms/license.md
42 - Framework Javascript express/2_cookie_parser/node_modules/express/Readme.md
42 - Framework Javascript express/2_cookie_parser/node_modules/express/History.md
42 - Framework Javascript express/2_cookie_parser/node_modules/body-parser/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/body-parser/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/mime/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/mime/CHANGELOG.md
42 - Framework Javascript express/2_cookie_parser/node_modules/content-disposition/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/content-disposition/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/qs/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/qs/CHANGELOG.md
42 - Framework Javascript express/2_cookie_parser/node_modules/qs/LICENSE.md
42 - Framework Javascript express/2_cookie_parser/node_modules/iconv-lite/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/iconv-lite/Changelog.md
42 - Framework Javascript express/2_cookie_parser/node_modules/forwarded/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/forwarded/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/fresh/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/fresh/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/serve-static/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/serve-static/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/proxy-addr/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/proxy-addr/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/toidentifier/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/toidentifier/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/setprototypeof/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/cookie-parser/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/cookie-parser/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/cookie-signature/Readme.md
42 - Framework Javascript express/2_cookie_parser/node_modules/cookie-signature/History.md
42 - Framework Javascript express/2_cookie_parser/node_modules/accepts/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/accepts/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/finalhandler/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/finalhandler/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/vary/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/vary/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/debug/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/debug/CHANGELOG.md
42 - Framework Javascript express/2_cookie_parser/node_modules/send/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/send/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/send/node_modules/ms/readme.md
42 - Framework Javascript express/2_cookie_parser/node_modules/send/node_modules/ms/license.md
42 - Framework Javascript express/2_cookie_parser/node_modules/methods/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/methods/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/escape-html/Readme.md
42 - Framework Javascript express/2_cookie_parser/node_modules/mime-db/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/mime-db/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/safe-buffer/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/ee-first/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/safer-buffer/Porting-Buffer.md
42 - Framework Javascript express/2_cookie_parser/node_modules/safer-buffer/Readme.md
42 - Framework Javascript express/2_cookie_parser/node_modules/inherits/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/etag/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/etag/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/mime-types/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/mime-types/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/array-flatten/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/depd/Readme.md
42 - Framework Javascript express/2_cookie_parser/node_modules/depd/History.md
42 - Framework Javascript express/2_cookie_parser/node_modules/raw-body/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/raw-body/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/type-is/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/type-is/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/statuses/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/statuses/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/cookie/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/cookie/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/http-errors/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/http-errors/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/merge-descriptors/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/merge-descriptors/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/on-finished/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/on-finished/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/unpipe/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/unpipe/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/range-parser/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/range-parser/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/utils-merge/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/bytes/Readme.md
42 - Framework Javascript express/2_cookie_parser/node_modules/bytes/History.md
42 - Framework Javascript express/2_cookie_parser/node_modules/path-to-regexp/Readme.md
42 - Framework Javascript express/2_cookie_parser/node_modules/path-to-regexp/History.md
42 - Framework Javascript express/2_cookie_parser/node_modules/destroy/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/parseurl/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/parseurl/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/media-typer/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/media-typer/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/encodeurl/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/encodeurl/HISTORY.md
42 - Framework Javascript express/2_cookie_parser/node_modules/content-type/README.md
42 - Framework Javascript express/2_cookie_parser/node_modules/content-type/HISTORY.md
149 - VID_OS_FILES_PHP/149_vid_os_files_php.md
101 - Language Javascript Common DOM Sources/language_javascript_common_dom_sources.md
166 - VID_MALWARE_DECOMPRESS_STATIC_STRING/166_vid_malware_decompress_static_string.md
102 - Rule Html Scan Javascript/rule_html_scan_javascript.md
141 - VID_LANGUAGE_PHP_FRAMEWORK_SMARTY/141_vid_language_php_framework_smarty.md
109 - VID_LANGUAGE_JAVA_JACKSON/language_java_jackson.md
116 - VID_OS_NETWORK_WEB_REQUEST_JAVA_FRAMEWORK_SPRING/os_network_web_request_java_framework_spring.md
100008 - Rule statement compute assignment/rule_statement_compute_assignment.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/interpret/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/shelljs/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/shelljs/CHANGELOG.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/path-parse/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/wrappy/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/fs.realpath/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/minimatch/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/function-bind/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/supports-preserve-symlinks-flag/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/supports-preserve-symlinks-flag/CHANGELOG.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/balanced-match/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/balanced-match/LICENSE.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/inflight/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/path-is-absolute/readme.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/inherits/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/is-core-module/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/is-core-module/CHANGELOG.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/resolve/SECURITY.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/brace-expansion/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/rechoir/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/once/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/has/README.md
41 - RCE Javascript shelljs/1_simple.js/node_modules/glob/README.md
104 - VID_INTERESTING_LANGUAGE_PHP_SERIALIZATION_ON_USER_CONTROLLED_DATA/language_php_serialization_on_user_controlled_data.md
17 - Interesting user controlled variable/17.md
132 - VID_LANGUAGE_PYTHON_OS/language_python_os.md
62 - Sink Javascript jsonwebtoken/sink_javascript_jsonwebtoken.md
135 - VID_RULE_COMPUTE_PLUS/135_rule_compute_plus.md
139 - VID_LANGUAGE_PHP/139_vid_language_php.md
118 - VID_LANGUAGE_PHP_COMMON_MISTAKES/language_php_common_mistakes.md
125 - VID_LANGUAGE_JAVA_JNI/language_java_jni.md
63 - Sink Javascript Angular Strict Contextual Escaping/63_sink_javascript_angular_strict_contextual_escaping.md

104 - VID_INTERESTING_LANGUAGE_PHP_SERIALIZATION_ON_USER_CONTROLLED_DATA

Deserialisation in PHP


Most of these exploits follow a path that leads to direct exploitability when unserialize is called on attacker controlled data. By controlling the object that is constructed and destroyed, the __construct or __destroy functions will call the attacker controlled function. Alternatively a slower path to exploitation might also exist, where the object is later called on by the application, but direct exploitation result is preferable and starts from the internal functions that are always called on deserialisation.

Research on __call (Added 2023-12-09)


As shown in https://fenrisk.com/publications/blogpost/2023/11/30/gadgets-chain-in-laravel/ you can have an exploit chain through the __call internal function, if member variables contain an object on which a (non-existing) member function is called.

This snippet could lead to a call of the __call function inside the member object $duration inside $this. If that __call function can lead to a call_user_func or a call on a variable, we can achieve exploitation.

public function __destruct() { $remaining = $this->duration->copy(); }

Research on destructors (Added 2023-11-29)


This code can be found in production code, and was spotted in wordpress.

VULNERABILITY: (Research) PHP destructor '__destruct' contains 'call_user_func' call on member variable. Useful for deserialisation gadgets. (104) 2_destructor_with_call_user_function.php::2122 ; }

The researcher will have to check if possibilities exist to call a useful function with a useful parameter.

Research on directly controlled variables


This code is sometimes used in examples or CTFs.

Deserialization is not automatically exploitable in PHP. It can be exploitable if the functionality allows code paths that were not foreseen. This can happen when developers do not forsee that forged objects could be offered for deserialization.

php $sess_data = @unserialize($_COOKIE["$sess_cookie"]);

Links


https://medium.com/swlh/exploiting-php-deserialization-56d71f03282a https://fenrisk.com/publications/blogpost/2023/11/30/gadgets-chain-in-laravel/