Shulou(Shulou.com)06/01 Report--

This article shows you how to find POP chains in PHP deserialization, concise and easy to understand, absolutely can make your eyes shine, through the detailed introduction of this article I hope you can gain something.

Practice PHP deserializing POP chain finding using luminserial in code-breaking as an example.

POP Chain 1

We directly search for 'function dispatch (', and find that there is a Dispatcher class dispatchToQueue method called call_user_func function two parameters are controllable, and dispatch calls dispatchToQueue method, the code is as follows:

As we can see from the code, it is sufficient to pass in the $command variable as an instance of the ShouldQueue class. By searching, we will find ShouldQueue is an interface, so we can find its implementation class. Directly search for 'implements ShouldQueue', we can pick an implementation class at random, here I choose CallQueuedClosure class, the relevant code is as follows:

Now the two parameters of the call_user_func function are controllable, and we can call any method of any object, so that we can use the method in the previous article to call the invoke method of the ReturnCallback class, and pass the object of the StaticInvocationclass as a parameter to form the entire POP chain, using exp as follows:

We then use the following picture to clarify the call process of the entire POP chain.

POP Chain II

Next, the POP chain idea is to refer to this article, to find the POP chain idea or to start with the dispatch method. In the previous article, we found that the first RCE took the__call method of the Generator class, which works extremely well as part of a POP chain because the two parameters in the call_user_func_array method are completely controllable. We just need to find that there is a method such as this->$object->$method($arg1,$arg2), and $object,$method,$arg1,$arg2 four parameters can be controlled, then we can use the__call method of this Generator class, and finally call_user_func_array ('file_put_contents', array ('1.php','xxx')).

We continue our search for dispatch and find a dispatch method of the TraceableEventDispatch class with the following code:

We find that it calls the preProcess method, and the passed $eventName variable is controllable. We follow up with the method, and the specific code is as follows:

You can see that we have to let $this->dispatcher->hasListeners($eventName) return true, otherwise the null value returned is useless to us. Then the getListeners method on line 12 returns an array of values so we can get into the foreach structure. The reason we want to go into foreach is because we see $this->dispatcher->removeListener($eventName, $listener) in line 16, the structure is like this->$object->$method($arg1,$arg2), the first three parameters can be constructed as follows:

this->$object = new Faker\Generator();this->$object->$method = 'removeListener';arg1 = '/var/www/html/1.php';this->formatters['removeListener'] = 'file_put_contents';

After this sub-construction, when we execute $this->dispatcher->removeListener($eventName, $listener), we will call the__call method of Generator class, and then execute call_user_func_array ('file_put_contents', array ('/var/www/html/upload/1.php',$listener)), so we just need to make sure that the fourth parameter $listener is controllable.

Now we go back to the if statement in line 6 above. We need to bypass this condition first. This code calls the hasListeners method of the Faker\Generator class, which triggers the__call method, so we just set this-> formats ['hasListeners '] to' strlen', and then call_user_func_array ('strlen ','var/www/html'), which bypasses the if statement.

j Then we go back to the foreach statement and continue searching for available getListeners methods to see if we can return a controllable array (which is what we need to get into the foreach statement). By searching, we will find a getListeners of the Dispatcher class that meets our requirements, and its specific code is as follows:

In this case $eventName is what we passed in '/var/www/html/upload/1.php', obviously the above code can return an array, and the value of the array is completely controllable.

$this->dispatcher->getListeners() in foreach just called the getListeners method of the Faker\Generator class. Now we need to find a way to make it call the getListeners method of the Dispatcher class. Let's take a look at the Generator call flow chart:

As you can see, as long as we set this->providers to array(Dispatcher class), the call after that looks like call_user_func_array(array(Dispatcher class,'getListeners'),'/var/www/html/1.php').

Now that we're almost done with the whole utilization chain, there's still some extra code to execute before we get to $this->dispatcher->removeListener($eventName, $listener), and we want to make sure that it doesn't affect our methods below, so we need to continue looking at foreach below (foreach in the TraceableEventDispatcher class preProcess method in this case).

We see that it calls the getListenerPriority method of this class, and the code is as follows:

We see line 16, which returns $this->dispatcher->getListenerPriority($eventName, $listener), perfect. We don't need to execute the removeListener method just now, and we can complete the entire POP chain directly here. The final utilization exp is as follows:

We then use the following picture to clarify the call process of the entire POP chain.

This is how to find POP chains in PHP deserialization. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.