Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to carry out in-depth understanding of PHP deserialization loopholes by Typecho. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Zero, preface

Typecho is a lightweight version of the blog system, some time ago exposed getshell loopholes, the Internet has also been related to vulnerability analysis and release. This vulnerability is caused by the PHP deserialization vulnerability, so here we analyze this vulnerability and use it to gain an in-depth understanding of the PHP deserialization vulnerability.

1. PHP deserialization vulnerability

1.1 brief introduction to vulnerabilities

PHP deserialization vulnerabilities, also known as PHP object injection, are very common vulnerabilities. Although this type of vulnerability is difficult to exploit, it can have very dangerous consequences once successfully exploited. The root cause of the vulnerability is that the program does not detect the deserialization string entered by the user, so that the deserialization process can be maliciously controlled, resulting in code execution, getshell and a series of uncontrollable consequences. Deserialization vulnerabilities are not specific to PHP, but also exist in languages such as Java and Python, but their principles are basically the same.

1.2 vulnerability principle

Next, we use several examples to understand what is PHP serialization and deserialization as well as the specific process of vulnerability formation. First, the contents of the 1.php file are as follows:

There is a TestClass class in the file, which defines a $variable variable and a PrintVariable function, and then instantiates the class and calls its methods. The result is as follows:

This is a normal class instantiation and member function call process, but there are some special class member functions that will be called automatically under certain circumstances, called magic functions. Magic function names start with the symbol _ _. For example, _ _ construct is called when an object is created, _ _ destruct is called when an object is destroyed, and _ _ toString is called when an object is called as a string. In order to better understand how the magic method works, three magic methods, _ _ construct, _ _ destruct and _ _ toString, have been added to 2.php.

The results are as follows, and note that there are other magic methods, only a few of which are listed here.

Php allows you to save an object for later reuse, a process called serialization. Why is there a mechanism for serialization? Because in the process of passing variables, it is possible to encounter the process that the values of variables are passed across script files. Just imagine, what do we do if we want to call the variables of the previous script in a script, but the previous script has been executed and all the variables and contents have been released? Do you want the previous script to loop constantly, waiting for the later script to be called? This must be unrealistic. Serialize and unserialize are used to solve this problem. Serialize can convert a variable to a string and hold the value of the current variable during the conversion; unserialize can convert the string generated by serialize back to the variable. Let's add a serialization example to 3.php and look at the format of the serialized php object.

The output is as follows

O represents the object, 4 indicates that the length of the object name is 4, "User" is the class name, 2 indicates the number of member variables, and the curly braces show the type, name, length and value of the variable, respectively. To restore this string to a class object, you need to rebuild the object using unserialize, write the following code in 4.php

Running result

The magic functions _ _ construct and _ _ destruct are called automatically when an object is created or destroyed, the _ _ sleep method is called when an object is serialized, and the _ _ wakeup method is called when an object is deserialized. Add examples of these magic functions to 5.php.

Running result

OK, now that we know the important concepts of magic functions, serialization and deserialization, how does this process vulnerability arise? Let's look at another example, 6.php.

This code contains two classes, an example and a process, and in process there is a member function close (), which has an eval () function, but its parameters are not controllable, and we cannot use it to execute arbitrary code. But there is a _ _ destruct () destructor in the example class, which is executed at the end of the script call, which calls a member function in this class, shutdown (), to call the close () function somewhere. So I began to think about this question: can he call the close () function in process and the $pid variable is controllable? The answer is yes, as long as $handle is a class object of process and $pid is any code you want to execute when deserializing, take a look at how to construct POC

Execution effect

When we deserialize the serialized string, we will generate an example class object according to our settings. When the script ends, the _ _ destruct () function is automatically called, and then the shutdown () function is called. At this time, $handle is the class object of process, so the close () function of process will be called, eval () will be executed, and $pid can also be set, resulting in code execution. The whole attack line is called ROP (Return-oriented programming) chain. Its core idea is to find a suitable code fragment (gadget) among the existing functions in the whole process space, and to concatenate each gadget by carefully designing the return code, so as to achieve the purpose of malicious attack. The difficulty in constructing a ROP attack is that we need to search the entire process space for the gadgets we need, which takes a long time. But once the "search" and "splicing" are completed, such an attack is irresistible, because it uses legal code in the program, and the common means of protection are difficult to detect. Deserialization vulnerabilities need to meet two conditions:

1. There are input points for serializing strings in the program. 2. There are magic functions that can be used in the program.

Next, the actual combat analysis is carried out through the serialization vulnerability of Typecho.

Analysis of Typecho vulnerabilities

The location of the vulnerability occurs in install.php. First, there is a referer detection that can be bypassed if its value is an intra-site address.

The entry point is at line 232

Here, the _ _ typecho_ configvalue in cookie is taken out, and then base64 is decoded and deserialized, which satisfies the first condition of the vulnerability: there is an input point for serialized strings. The next step is to find out what magic methods are available. First global search for _ _ destruct () and _ _ wakeup ()

Find two places of _ _ destruct (), follow them and there is nothing available. Following the code will instantiate a Typecho_Db. The constructor at var\ Typecho\ Db.php,Typecho_Db is as follows

Use it on line 120. Operator concatenates $adapterName, and if $adapterName is an instantiated object, the _ _ toString method (if any) is automatically called, then search for the _ _ toString () method globally. Find 3 places

The first two places are not available, follow up the third, _ _ toString () is on line 223 of var\ Typecho\ Feed.php

The following code has the following code at 290

If $item ['author'] is a class and screenName is a variable that cannot be called directly (private variable or a variable that does not exist at all), the _ _ get () magic method will be called automatically, and then the available _ _ get () method will be found and searched globally.

A total of 10 matches are made, of which the code in var\ Typecho\ Request.php is available. Follow up.

Then follow up to the get function

Then go to the _ applyFilter function

You can see the array_map and call_user_func functions, both of which can execute the function dynamically. The first parameter represents the name of the function to be executed, and the second parameter represents the parameter of the function to be executed. We can try to execute arbitrary code here. Next, take a look at the whole process. The entry point of the data is on line 232 of the install.php file, and the serialized data is read from the outside. Then, according to the data we constructed, the program will enter the _ _ construct () function of Db.php, then enter the _ _ toString () function of Feed.php, and then enter the _ _ get (), get () and _ applyFilter () functions of Request.php. Finally, any code will be executed by call_user_func, and the whole ROP chain will be formed. The POC is constructed as follows

Line 22 of POC has nothing to do with deserialization, but without this line, there will be no echo, because the program called ob_start () at the beginning of install.php will open the buffer and put all the output into the buffer, which can be taken out when you want to use it. But our object injection will cause database errors in subsequent code

The exception is then triggered, where ob_end_clean () clears the contents of the buffer so that it cannot be echoed.

To solve this problem, you need to exit the program before ob_end_clean () executes. There are two ways:

1. Make the program jump to the code segment where exit () exists

2. Make the program report an error in advance and exit the code.

The second method is used in POC

After solving the above problem, you can execute arbitrary code and see the echo. Add referre to the http header to make it equal to an on-site address, and then add the field _ _ typecho_config to the cookie, whose value is the output of the above exp.

Some uses do not need to be echoed, such as writing a shell. POC is as follows

Execute the result and generate the shell.php in the root directory

The above is the editor for you to share how to carry out Typecho in-depth understanding of PHP deserialization vulnerabilities, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.