Shulou(Shulou.com)05/31 Report--

This article mainly explains the "php deserialization of string escape case analysis", the article explains the content is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "php deserialization string escape case analysis"!

Php deserialization-string escape

There are two cases of string escape after PHP deserialization. One is that there are more strings after filtering, and the other is that there are fewer characters after filtering. (this article defaults to the knowledge of deserialization.)

More strings after filtering

Take ctfshow-web262 as an example to explain:

Error_reporting (0); class message {public $from; public $msg; public $to; public $token='user'; public function _ construct {$this- > from = $f; $this- > msg = $m; $this- > to = $t;} $f = $_ GET ['f']; $m = $_ GET ['m']; $t = $_ GET ['t'] If (isset ($f) & & isset ($m) & & isset ($t)) {$msg = new message ($f); $umsg = str_replace ('fuck',' loveU', serialize ($msg)); setcookie ('msg',base64_encode ($umsg)); echo' Your message has been sent';} highlight_file (_ _ FILE__)

In this code, first get passes in three parameters, then serializes the msg function containing these three parameters, then replaces the fuck string with loveU, reassigns the value to the umsg variable, and encodes the variable base64 and sets it to cookie

According to the notes and tips in the question, we get the message.php content, which is

Highlight_file (_ _ FILE__); include ('flag.php'); class message {public $from; public $msg; public $to; public $token='user'; public function _ construct {$this- > from = $f; $this- > msg = $m; $this- > to = $t;} if (isset ($_ COOKIE [' msg'])) {$msg = unserialize (base64_decode ($_ COOKIE ['msg'])) If ($msg- > token=='admin') {echo $flag;}}

If cookie is set and token in msg is admin, you can output flag

As can be seen from the content of index.php, one step of replace is carried out, resulting in one more bit for each fuck entered, so we can make use of this feature to escape strings. Try it locally first.

As can be seen from the title, we need to change the value of token in the original class class to admin, and then pass in three parameters together, fforce mdirection t. We can use one of the parameters, the parameter m is used here. In order to avoid too many strings that need to escape, we can first write the f t parameter, pass in the value locally, and output the serialization result.

In the following figure, "; svv 2:" to "; svv 1:" 1 "; svv 5:" token "; svv 5:" admin ";} is the part we want to escape, a total of 44 characters, so we need m input 44 fuck to escape.

Escape successfully. The upper and lower strings are both normal serialized strings. Copy payload to execute.

Detailed explanation of the principle of string variable multiplication

This problem uses the knowledge of string escape in php deserialization.

First of all, let's take a look at the normal results of the local experiment.

When x is passed in, the defined replacement function replaces one x with two x, and the value of old is'aI a m 2: iRO; s: 4: "h a n x x"; I: 1; s: 7: "I a m 11";', if the length does not match, there will be a current error, and the value of old will be `aold 2: {iR0. Old 4: "hanxx"; iold 1: "Iam11";} `, if the length does not match, an error will occur, which in turn leads to the failure of further deserialization of old due to the mismatch of length.

Of course, if we can change the string length of hanx from 4 to 5, the initial input of 4 characters will be executed normally, and name will be changed from hanx to hanxx.

When PHP deserializes, the underlying code takes; as the separation of fields, ends with} (except the string), and judges the content according to the length. At the same time, the deserialization must be in strict accordance with the serialization rules in order to successfully deserialize.

From the above output, we can see that x has been replaced with xx, but the value in the serialization result is still the original 4. We can find the loophole according to the fact that the string becomes more and more after the filter function.

Principle of vulnerability: we can pass in data using equal-length strings that can be closed. Suppose we need to pass age as woaini, so we can take advantage of "; iwoaini 1:" woaini ";} this string has a total of 20 bits. We can escape the string by adding 20 Xs. The final payload is as follows:

Name=maoxxxxxxxxxxxxxxxxxxxx "; iVO1TIVSRAN6:" woaini ";}

Since it has been known in the question to replace one x with two Xs, we can make the number of x equal to that in the above payload; iname 1: "woaini";}, which not only satisfies that before serialization, the length of the name is 40 (not counting the previous mao), but also satisfies that the length of the replacement x is doubled, resulting in the closing of quotation marks, so the length is still 40 digits, but we pass in the desired age value through string escape

As can be seen from the figure, the incoming age value successfully overflowed and the string escaped successfully!

Fewer strings after filtering

The local test is as above. The initial name and sign are not assigned, and the number is 2020. There is a string escape vulnerability. If we construct a deserialization string escape and change the number value from 2020 to 2002 as a success, you can try to construct a serialized string.

First, the name and sign parameters are passed in the code through get, then the deserialized results are deserialized, and the deserialized results are replaced by strings. The replaced results are output, and the deserialized results are assigned to fake, and the modified name, sign and number values are output respectively.

Normal input gets normal output:

When the input contains lemon or shy, it is replaced with an empty one, and the shortening of the string causes deserialization failure in the code and output error:

In the above deserialization string, the string that controls the number value is "; SPLV 6:" number "; SVR 4:" 2020 ";} the total length is 27, so we need to set the filtered character in the name variable to empty, and the empty part of the string needs to ensure that when we enter the artificially supplementary serialization string in the second variable, the number of digits is the right number and does not report an error.

Here sign enters "YKing"; SRAR4: "sign"; SRV 4: "evan"; SRAV 6: "number"; SRAV 4: "2002" } among them, YKing is used to put together the number of words to supplement the length of the previous name variable to ensure that the subsequent deserialization can be normal, and then input the manually constructed sign variable and assign the value. It doesn't matter how much the value is, so as to ensure the serialization is correct. Finally, we add the desired number value 2002 to the sign variable, and close through}, resulting in the 2020 in the original topic can not be deserialized, thus realizing the coverage of the number value.

The length of the name variable ensures that it can be deserialized normally, and then the manually constructed sign variable is entered and assigned. It doesn't matter how much the value is, so long as the serialization is correct. Finally, the desired number value of 2002 is added to the sign variable, and the 2020 in the original question cannot be deserialized by} closure, thus realizing the coverage of the number value.

Thank you for reading, the above is the content of "php deserialization string escape instance analysis". After the study of this article, I believe you have a deeper understanding of the string escape case analysis of php deserialization, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.