Shulou(Shulou.com)05/31 Report--

This article is to share with you about how to learn deserialization from the perspective of session. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

The following is the source code given by the title

Preface

The title directly gives the phpinfo information, as a CTF topic, it must have its special significance.

In addition, it is also an important information disclosure in actual combat.

In this case, you can directly take it down with the default phpinfo for file comparison, you may be able to quickly find a breakthrough.

Dilemma

When you see the magic methods of construct () and _ _ destruct (), it is most likely a deserialization problem. Among them, destruct () has

Eval ($this- > mdzz)

If $this- > mdzz is controllable, this is an obvious webshell, but mdzz is limited to death in the constructor, and there is no loophole covered by variables, otherwise you can hit a wave and get into trouble.

With such a convenient eval () here, can we bypass the constructor and directly execute the commands we need?

There must be something wrong here.

Ini_set ('session.serialize_handler',' php')

Knowledge point

Security risks caused by improper use of 1.PHP Session serialization and deserialization processor settings: https://github.com/80vul/phpcodz/blob/master/research/pch-013.md

As you can see in phpinfo, there are several methods that can be used when deserializing PHP.

In the course of the experiment, you can also use this statement to specify the method.

Session_start ([

'serialize_handler' = >' php_serialize'

])

In the two stages of setting up session and reading session, if different serialization methods are used, arbitrary object injection will occur, which will lead to deserialization vulnerabilities.

Use php_serialize when storing-- >

ARanger 1: {test 4: "Svv 20:" | ORV 8: "stdClass": 0: {} ";}

Deserialization uses php-- >

/ / var_dump ($_ SESSION)

Array (1) {

["aRV 1: {SRV 4:" test "; SRV 20:"] = >

Object (stdClass) # 1 (0) {

}

}

After PHP gets the session string, it starts looking for the first | (vertical bar), splits the string into "key name" and "key value", and deserializes the "key value". But if this deserialization fails, abandon the parsing, find the next vertical bar, and do the same until successful.

However, the problem that mdzz is out of control has not been solved here, so the second knowledge point is introduced next.

two。 Upload progress support (Upload progress in sessions)

For normal usage, see example # 1:

Http://php.net/manual/zh/session.upload-progress.php, together with Ajax, can show the upload progress.

Using this method, you can achieve the effect of writing data to session, thus making $mdzz controllable, and you can refer to the interesting php deserialization summary:

Http://www.91ri.org/15925.html

When an upload is being processed and post a variable with the same name as the session.uploadprogress.name set by ini, php will add a set of data to $SESSION when it detects such a post request, so you can set session through session.upload_progress.

Here are some of the parameters

Session.uploadprogress.enabled [= 1]: whether to enable upload progress report (enabled by default) session.uploadprogress.cleanup [= 1]: whether to delete progress data in time after upload is completed (default is enabled, recommended is enabled). Session.uploadprogress.prefix [= uploadprogress]: progress data will be stored in _ SESSION [session.uploadprogress.prefix. Session.uploadprogress.name [= PHPSESSIONUPLOADPROGRESS]: if POST [session.uploadprogress.name] is not set, the progress will not be reported. Session.uploadprogress.freq [= 1%]: the frequency of update progress (the number of bytes processed), and the percentage is also supported for'%'. Session.uploadprogress.min_freq [= 1. 0]: interval of update progress (seconds)

Going back to this question, check that phpinfo, session.uploadprogress.enabled is on, and session.uploadprogress.cleanup is off.

Open dry

Construct a form

If not specified, PHP defaults to "php" as the session serialization method, payload and the result are as follows:

PS: don't worry about Content-Type, this has no effect on solving the problem, the key point is to add\ to prevent "from being escaped."

Array (

= > OowoO Object (

[mdzz] = > print_r ($_ SESSION)

)

)

According to the php manual, the form stored in session is like this, so we can see that field_name can also be used, so it is not necessary to use filenam.

$_ SESSION ["upload_progress_123"] = array (

"start_time" = > 1234567890, / / The request time

"content_length" = > 57343257, / / POST content length

"bytes_processed" = > 453489, / / Amount of bytes received and processed

"done" = > false

/ / true when the POST handler has finished, successfully or not

"files" = > array (

0 = > array (

"field_name" = > "file1", / / Name of the field

/ / The following 3 elements equals those in $_ FILES

"name" = > "foo.avi"

"tmp_name" = > "/ tmp/phpxxxxxx"

"error" = > 0

"done" = > true

/ / True when the POST handler has finished handling this file

"start_time" = > 1234567890

/ / When this file has started to be processed

"bytes_processed" = > 57343250

/ / Amount of bytes received and processed for this file

)

)

)

Don't say much about the old tricks of flag, just replace the values in mdzz with the operations you need to perform.

The above is how to learn deserialization from the perspective of session. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.