a totally unnecessary composer shell

background

A silly reverse shell invoked via the Composer Dependency Manager. Source here

Composer, which is most probably the most popular PHP dependency manager allows for scripts to run as callbacks on based an event. Callbacks are normally triggered just before or after certain events.

It is possible to provide shell commands to the scripts property in the required composer.json file (with a few restrictions), but this method echoes the command that it executes. A slightly more covert approach would be to execute a cleverly named static function in a class included in the codebase. It has to be one that can be autoloaded by composer.

why?

I thought a little about which scenarios this may actually be useful in and figured maybe only really strange edge cases where you can only run composer (as root lol?). I also remembered a bug in git (CVE-2014-9390) that allowed for code execution via ‘poisoned’ repositories. Well, I guess depending on your perspective, this may be a very similar.

PoC

As part of a PoC, I just used the popular pentest-monkey PHP reverse shell, but really, anything is possible that is possible with PHP at this point.

comments powered by Disqus