Shulou(Shulou.com)06/01 Report--

This article mainly explains "the understanding and application of PHP deserialization vulnerability". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "the understanding and application of PHP deserialization vulnerability".

01 the best knowledge to be mastered in advance before learning

PHP classes and objects (https://www.php.net/manual/zh/language.oop5.php)

PHP Magic method (https://secure.php.net/manual/zh/language.oop5.magic.php)

Serialize ()

(http://php.net/manual/zh/function.serialize.php)

And unserialize ()

(http://php.net/manual/zh/function.unserialize.php)

02 serialization and deserialization

PHP (starting with PHP 3.05) provides a set of serialization and deserialization functions for saving objects: serialize, unserialize.

Serialize ()

After we have created an object in php, we can convert the object into a string through serialize (), which can be used to save the value of the object for later transmission and use. The test code is as follows

Test results:

Orlando 6: "people": 2: {SRAR4: "name"; SRV 6: "f1r3K0"; SRV 3: "age"; SRAR 2: "18"; notice that the capital letter O is outside the parentheses here

The following is the type represented by letters a-array array b-boolean Boolean d-double double precision I-integer o-common object general object r-reference s-string C-custom object custom object O-class N-null R-pointer reference U-unicode string unicode encoded string

Unserialize ()

Corresponding to serialize (), unserialize () can recover the object (object) from the serialized result, and we flip through the PHP manual to find that what is officially given is: unserialize-creates the value of PHP from the stored representation.

We can test the function by deserializing the previously serialized object directly, as follows:

As a reminder, when you use unserialize () to restore an object, the _ _ wakeup () member function is called. (foreshadowing first, this point will be mentioned later)

03 deserialization vulnerability

As you can see earlier, when the parameters passed to unserialize () are controllable, we can control variables or even functions within the object by passing in a "carefully" serialized string.

Using Magic function such as constructor

There is a special kind of method in php called "Magic function", which is what we often call "magic method". Here we focus on a few:

_ _ construct (): constructor, which is called automatically when an object is created (new). However, unserialize () is not called automatically.

_ _ destruct (): destructor, similar to C++. It is executed when all references to an object are deleted or when the object is explicitly destroyed, and is called automatically when the object is destroyed.

_ _ wakeup (): as mentioned earlier, unserialize () checks for the existence of _ _ wakeup (), and if so, the _ _ wakeup () method is called first.

_ _ toString (): used to handle how a class should respond when it is treated as a string, so it is called when an object is treated as a string.

_ _ sleep (): used to submit uncommitted data, or similar cleanup operations, so it is called when an object is serialized.

The tests are as follows:

The results are as follows:

From the running result, we can see that the unserialize function is a deserialized string that takes precedence by calling "_ _ wakeup ()". At the same time, the order of calling other methods is also clear at a glance. (note: I commented out sleep here because sleep is called during serialization, so executing the sleep method no longer performs the sequence and subsequent operations. )

Using scenario _ _ wakeup () and destruct ()

As you can see before, unserialize () results in a direct call to wakeup () or destruct (), with no other procedures in between. So ideally, some vulnerability / compromise code is in wakeup () or destruct (), so that when we control serialized strings, we can trigger them directly. We use the example of the reference article directly here, and the code is as follows:

/ / logfile.php deletes temporary log files

/ / contains the main page file index.php of 'logfile.php'

Combing the functions of these two php files, index.php is a main business file with php serialization vulnerabilities. The function of logfile.php is to call the _ _ destruct method to delete a php file of the temporary log after the temporary log file is recorded. This code feels like a logical loophole, and the way to take advantage of this vulnerability is to construct a serialized string that can delete source.txt, then pass in the deserialized function by get, deserialize it into an object, and call _ _ destruct () to delete the source.txt after the object is destroyed.

Exploit exp

Here we pass in the serialization string through ['GET'] and call the deserialization function to delete the file we want to delete.

I also saw a very interesting example of wakeup () before, which is directly linked here.

Chybeta talking about PHP deserialization https://chybeta.github.io/2017/06/17/ talking about php deserialization vulnerability /

04 use of other magic function

Here I will combine the questions of PCTF and this year's national tournament to analyze.

PCTF

Topic link: (http://web.jarvisoj.com:32768/index.php)

The first few steps are very common to read the file source code.

The two source codes directly released here

/ / index.php

The index.php above prompts the included shield.php, so just construct the base64.

/ / shield.php

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.