In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Preface
A new attack technology for PHP applications was unveiled at the previous BlackHat 2018 conference. We will give a brief introduction through this article.
Sam Thomas, a security researcher from Secarma, has discovered a new development technique that can lead to PHP object injection vulnerabilities-- without using the PHPunserialize () function. This new technology, unveiled at the BlackHat 2018 conference, exploits PHP deserialization vulnerabilities for remote code execution. We added detection to this new type of attack in the RIPS code analysis engine.
Common style
Most PHP file operations allow various url styles, such as data://, zlib://, or php://, to be used when accessing file paths. These operations are typically used for remote files where an attacker can control that the file contains the full file path.
Remote files contain vulnerabilities to exploit:
Include ($_ GET ['file']) include (' php://filter/convert.base64-encode/resource=index.php'); include (_ 'data://text/plain;base64,cGhwaW5mbygpCg=='); Phar metadata
But so far, few people pay attention to phar://. What's interesting about Phar (PHP Archive) files is that they contain metadata in a serialized format. Let's create a Phar file and add an object that contains some data as metadata:
/ / create new Phar$phar = new Phar ('test.phar'); $phar- > startBuffering (); $phar- > addFromString (' test.txt', 'text'); $phar- > setStub (''); / / add object of any class as meta dataclass AnyClass {} $object = new AnyClass;$object- > data = 'rips';$phar- > setMetadata ($object); $phar- > stopBuffering ()
Our new test.phar file has the following contents. We can see that the object is stored as a serialized string.
PHP object injection
If we now perform file operations on our existing Phar file through phar://, its serialized metadata will be deserialized. This means that the objects we injected into the metadata are loaded into the scope of the application. If this application has a named AnyClass class and has a magic method destruct () or wakeup () definition, these methods are called automatically. This means that we can trigger any destructor or wakeup method in the code base. To make matters worse, if these methods operate on the data we inject, this may lead to further vulnerabilities.
Class AnyClass {function _ destruct () {echo $this- > data;}} / / output: ripsinclude ('phar://test.phar'); use the
First, the attacker must be able to populate a Phar file on the target Web server. Sam Thomas has discovered a trick on how to hide Phar files in JPG files, so as long as the common image upload function is sufficient. But this is not important, because if an attacker can control the full file path in operations such as nclude (), fopen (), file_get_contents (), file (), and so on, it will cause serious security vulnerabilities. Therefore, these functions are usually validated in user input. But now attackers can inject and get code execution through phar://.
Examples of code that looks harmless so far:
File_exists ($_ GET ['file']); md5_file ($_ GET [' file']); filemtime ($_ GET ['file']); filesize ($_ GET [' file']); Summary
Through the analysis of RIPS, we can automatically detect whether the user input is not validated in the PHP file operation.
In this way, we detect whether there are file deletion, file disclosure, file writing, file manipulation, file creation, file inclusion (etc.) vulnerabilities.
In addition, RIPS's analysis of sensitive strings allows us to accurately assess whether the file path is completely or under the control of an attacker, and whether it can be injected by phar://. Finally, we added a new vulnerability type called Phar Deserialization to the RIPS code analyzer to detect this new type of code risk.
This article is reproduced from "FreeBuf.COM" and the original text is compiled by Zhou Datao
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.