Shulou(Shulou.com)05/31 Report--

PHP deserialization and WordPress BUG interesting combination is how, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

0x00 preorder

A few months ago, I was writing a blog post about PHP deserialization vulnerabilities and decided to find a real goal for this article that would allow me to transfer test data to the PHP unserialize () function for demonstration purposes. So I downloaded a bunch of WordPress plug-ins and started looking for code examples that call unserialize () through grepping:

$url = 'http://api.wordpress.org/plugins/info/1.0/';$response = wp_remote_post ($url, array (' body' = > $request)); $plugin_info = @ unserialize ($response ['body']); if (isset ($plugin_info- > ratings)) {

The problem with this plug-in is that it sends a plaintext HTTP request and passes the request response to the unserialize () function. It's not the best entry point for a real attack, but if I can provide the output trigger code to the unserialize () function in such a trivial way, that's enough!

0x01 PHP deserialization attack

Simply put, a deserialization vulnerability occurs when an attacker is able to provide his data to an application that converts the data to a running object without proper validation. If the attacker data is allowed to control the properties of the running object, the attacker can manipulate any code execution process that uses those object properties, making it possible to use it to launch an attack. This is a technology called attribute-oriented programming (POP), a POP gadget can control any code snippet in this way, and the development implementation is by providing special objects to the application to trigger some useful behavior when those objects are deserialized. For more details, see my blog article "Attacking Java Deserialization" (https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/), where the general concepts apply to any basic technology.

In the current situation of PHP applications, the most well-known and reliable reason for the POP gadget is the _ _ wakeup () method of the class (PHP "magic method", the unserialize () function checks whether there is a _ _ wakeup (), if so, the _ _ wakeup () method is called first to prepare the resources needed by the object), if a class defines the _ _ wakeup () method. So whenever an object of this class uses the unserialize () function for deserialization, the _ _ wakeup () method is guaranteed to be called. Another reason is the _ _ destruct () method (when the created object is destroyed or encounters a PHP closing tag, for example, when the program has finished execution, the object will automatically call _ _ destruct () to perform some corresponding operations, which can be defined by itself.) For example, when the execution of the PHP script is complete (no fatal error occurs), the _ _ destruct () method is almost guaranteed to be called when the deserialized object is out of scope.

In addition to the _ _ wakeup () and _ _ destruct () methods, PHP has other "magic methods" that can be defined in a class or called after deserialization, depending on how deserialized objects are used. In a larger and more complex application, it may be difficult to track where the deserialization object ends and how to use it or call those methods, so it is also difficult to determine which classes can be used for PHP deserialization vulnerability exploitation, because the relevant files may not be included in the entry point, or a class's automounter (such as the spl_autoload_register () function) may be registered for further confusion.

0x02 universal PHP POP gadget

To simplify this process, I wrote a PHP class that defines all magic methods and writes details to the log file when any magic method is called. Particularly interesting are the magic methods _ _ get () and _ _ call (), which are called if the application tries to get properties that do not exist or call methods that do not exist in this class. The former can be used to identify the properties set on the payload object in order to manipulate and use the code for these properties. The latter can be used to identify the non-magic methods used by POP gadgets to trigger (and they can be used as POP gadgets themselves).

The class's _ _ wakeup () method also uses the get_declared_classes () function to retrieve and record a list of declared classes that can take advantage of exploit payload (although this does not reflect classes that are currently undeclared but can be loaded automatically).

0x03 PHP detection

Save the above code to a PHP file, where we can insert an include'/path/to/UniversalPOPGadget.php' statement into any other PHP script and make the class available. The following Python script looks for all PHP files in a given directory and writes statements to the front of the file, effectively detecting the application so that we can use them to study the entry point for deserialization to the UniversalPOPGadget objects that are serialized to it.

Import osimport sys # Set this to the absolute path to the file containing the UniversalPOPGadget classGADGET_PATH = "/ path/to/UniversalPOPGadget.php" # File extensions to instrumentFILE_EXTENSIONS = [".php", ".php3", ".php4", ".php5", ".phtml", ".inc"] # Check command line argsif len (sys.argv)! = 2: print "Usage: GadgetInjector.py" print "" sys.exit () # Search the given path for PHP files and modify them to include the universal POP gadgetfor root Dirs, files in os.walk (sys.argv [1]): for filename in files: for ext in FILE_EXTENSIONS: if filename.lower (). Endswith (ext): # Instrument the file and stop checking file extensions fIn = open (os.path.join (root, filename), "rb") phpCode = fIn.read () fIn.close () fOut = open (os.path.join (root, filename) "wb") fOut.write ("" + phpCode) fOut.close () break0x04 parsing deserialization entry point

Going back to the WordPress plug-in code snippet that called the unserialize () function, I don't know how to actually trigger the call to the unserialize () function. All I know is that the plug-in should send a HTTP request to http://api.wordpress.org/plugins/info/1.0/, so I used the above Python script to test the WordPress and the plug-in code, and then modified the hosts file on the server to point the api.wordpress.org to the same server. The following code is placed in the / plugins/info/1.0/index.php file in the Web root directory to provide UniversalPOPGadget payload:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.