! Old drivers on Pornhub also not unfamiliar (//∇//)\, is omitted here a million words...the author is how to hack into pornhub? All this from that day the author opened pornhub talking about... Summary: The author gets a pornhub. com remote code execution, and in Hackone on to earn a 2 million dollar vulnerability Bounty. The author in the PHP garbage collection algorithm found in the UAF vulnerability This vulnerability can be through the use of PHP's deserialize function for remote use The author also acquires the Internet vulnerability reward Association 2 0 0 $ 0 Bounty 0×0 1 vulnerability excavations Generally the“analysis”of the platform, I quickly examined the site of the deserialization use case, and discover the variety of paths are affected, such as you upload sexy pictures of path: the http://www.pornhub.com/album_upload/create http://www.pornhub.com/uploading/photo In this program, when you post data contains the name of the cookie parameter is the cookie parameter is the value of the deserialize operation, and its associated data will be in the Set-cookie header. !
The first glance might think it's just cause information leakage hazards, but in General we all know deserialized user input is unwise: ROP in PHP applications Shocking News in PHP Exploitation The development of technical standards, the requirements of the so-called suitable object-oriented programming Property-Oriented-Programming means that may be because of the abuse of the already existing class and trigger unwanted malicious code. But unfortunately, the author is difficult to collect overall on pornhub to use all the frameworks and PHP object, of the plurality of categories of the framework were tested AFTER BOTH came back with nothing. 0×0 2 vulnerabilities described Deserialization of the core is relatively complex, related to PHP5. 6 1 2 0 0 multi-line code, in addition, many of the PHP class has its own deserialization method. In order to support the image object, array, integer, string, or even references to such data types, PHP the record shows some bugs, and memory corruption vulnerabilities. The current PHP version, PHP5. 6 or PHP 7 is due, and not found a similar vulnerability, especially now that the deserialization has been more attention, like go to the Virgin has been squeezed dry lemon, has no too many vulnerabilities can be excavated. fuzzing deserialization In order to find the final answer to the author of the gay Dario for the transfer to deserialize a sequence of string“Special”a fuzzer tool, in PHP 7 is due on running this fuzzer tool will give unpredictable results, and this results in the test pornhub website is not copied. So I put the target placed in the PHP5 version, however in the PHP5 version of this fuzzer to generate 1TB of log or nothing result. When the author put more and more focus on fuzzing and nothing after, I began to question myself: this is a security related issue? If Yes is the only local use or remote use? In order to investigate in depth the author went with fuzzer tools collected more than 200kb of non-print blobs of data. Analysis of unexpected results Next, the author spent a lot of time to analyze the crux. The author has extracted a working-memory corruption vulnerability in the brief of evidence, ultimately found a UAF vulnerability is! After further investigation, the author found fundamental source from PHP's garbage collection algorithm, and deserialize there is no relationship, The this PHP of the two components in the de-serialized after the interaction, therefore, not very suitable for remote use. After further analysis, the author of the root of the problem with deeper understanding, and found more of the UAF vulnerability, and can be used to remotely exploit. Vulnerability links: PHP Bug – ID 7 2 4 3 3--CVE-2 0 1 6-5 7 7 1 PHP Bug – ID 7 2 4 3 4-- CVE-2 0 1 6-5 7 7 3 0×0 3 remote use Even the people full of the“hope”of the UAF vulnerability is also very difficult to remotely exploit, especially it relates to multiple development platforms. Clearly our goal is to be able to remotely execute arbitrary code, we need to find the control of the CPU instruction pointer to the RIP register method, typically will have the following obstacles: 1. The stack and the heap as well as any other writable section is marked as non-implementation of executable space protection 2. Even if you can control the instruction pointer, you also need to have an executable memory segment in the effective address. After calling the libc function system executes a shell command line. In PHP, is usually very easy to perform zend_eval_string, for example, you're in a PHP script write“eval(‘echo 1 3 3 7;’);”, It can let us no need to convert and execute arbitrary code. The first problem can be through the use of return oriented programming ROP use the existing executable memory fragments to solve. The second question need to find zend_eval_string the correct address. Usually when a dynamically linked program is executed the loader will map this process to 0×4 0 0 0 0 0 （x86_64 standard load address if you have to other way to get the Execute permissions, you can locally find you want to any function. The author found pornhub using PHP5-CGI-compile version, so it is difficult to determine the exact PHP version. The specific use of the process because of the more complicated features in this not repeat them here, the author exploits the specific can be realized: 1. Download pornhub. com the complete database including sensitive data 2. Available on the platform on the tracking behavior of a user operation 3. Websites hosted on the server all of the code can be leaked 4. Deep within the network 0×0 4 avoid recommendation The author gives advice: Even in the different types of PHP environments, you can still use the deserialization remote code execution, and therefore not in the anti-serialization relates to the use of user data, less complex serialization methods such as json. Latest PHP version has been fixed the vulnerability, so readers need as soon as possible to update the PHP version. Hope this article helpful to you, if bloomer welcomed wrong^ ^