Shulou(Shulou.com)06/01 Report--

This article mainly explained the "PHP deserialization, magic methods and the principle of deserialization vulnerabilities", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in-depth, together to study and learn "PHP deserialization, magic methods and the principle of deserialization vulnerabilities"!

I. Foundation

To facilitate the storage and transfer of objects, the operation of converting an object into a string is called serialization; the process of restoring an object converted string to an object is called deserialization.

The serialization and deserialization functions in php are: serialize (), unserialize ()

/ / run result serialize-> ORV 4: "azhe": 3: {SRAV 2: "iq"; SRAV 3: "200"; SRAV 2:" eq "; iRAPR 300: SRAV 8:" azhepr "; SRAV 6:" 4ut15m " } url encode the result as follows: O%3A4%3A%22azhe%22%3A3%3A%7Bs%3A2%3A%22iq%22%3Bs%3A3%3A%22200%22%3Bs%3A2%3A%22eq%22%3Bi%3A300%3Bs%3A8%3A%22azhepr%22%3Bs%3A6%3A%224ut15m%22%3B%7D

Serialized results can be divided into several categories

Type: d-> d represents an integer number-azhe d-> object-> d represents the length of the object type. For example, the length of the azhe class object is 4, and the Error length of the native class object is 5a:d-> array-> d represents the number of elements within the array. For example, array ('axiom = >' baud dN = > 1) has two elements, SRV d-> string-string, which represents the length of the string. For example, when serialized by abc, it is SRAR 3: "abc". IRd-> integer-> d represents the value of the integer variable. For example, the serialized value of iRU 300 is iRU 300 nullR a-arrayb-booleand-doublei-integero-common objectr-references-stringC-custom objectO-classN-nullR-pointer referenceU-unicode string.

The session of php also stores the serialized result.

Second, serialization engine

There are three kinds of engines for php to deal with session: php, php_serialize and php_binary. After these three treatments, the structure of session is different.

Php_serialize-> is consistent with the serialized result of the serialize function php-> key | the result after serialize php_binary-> the length of the key name corresponds to the ascii character + key name + serialize () function serialized value defaults to the php engine

The result of using php engine is shown in the figure above.

The results of using the php_serialize engine are as follows

The results of using the php_binary engine are as follows

There are invisible characters in it. URL encode the result as follows

When the session file is writable, we can write what we want manually, such as

This topic can be written to any file, so write session file to construct name=admin.payload= | Sv3: "xxx"; name | SRV 5: "admin"

Let's just say payload.

Banner and payload are stitched together to become-- 4ut15mmurb -\ n | Sv3: "xxx"; name | Sv5: "admin"; deserialized by the php serialization engine

$_ SESSION= ['--4ut15mmury -\ n'= > 'xxx',' name' = > 'admin']

3. Magic methods

The method that is automatically called when certain conditions are met is the magic method. Common magic methods and trigger conditions are as follows

_ _ wakeup () / / trigger _ _ sleep () when using unserialize / / trigger _ _ destruct () when using serialize / / trigger _ _ call () when an object is destroyed / / trigger _ _ callStatic () when calling an inaccessible method in the context of an object / / trigger _ _ get () when calling an inaccessible method in a static context / / used to read data from inaccessible properties _ _ set () / / used to write data to an inaccessible attribute _ _ isset () / / trigger _ _ unset () / / trigger _ _ toString () when using unset () on an inaccessible attribute / / trigger _ _ invoke () when a script attempts to call an object as a function / / when a script attempts to call an object as a function / the run result is instantiating the Superman class This is the echo of _ _ construct. You want to access the ed property, but Superman does not have this attribute. This is the echo of _ _ get. You want to call the eval method, but Superman does not have this method. This is the echo of _ _ call that is destroying the Superman object. This is the fourth echo of _ _ destruct.

When there is a deserialization controllable point in the program, this vulnerability can be attacked by constructing the pop chain of the classes and php native classes in the program.

Another example

The pop chain is hit- > _ _ destruct ()-> wow- > _ _ toString ()-> fine- > _ _ call () to construct payload.

4.1 Utilization of native species

L3m0n article

The native class is the php built-in class. Check out the classes that have the required magic methods as follows

The results are as follows

Exception::__wakeupException::__toStringErrorException::__wakeupErrorException::__toStringGenerator::__wakeupDateTime::__wakeupDateTime::__set_stateDateTimeImmutable::__wakeupDateTimeImmutable::__set_stateDateTimeZone::__wakeupDateTimeZone::__set_stateDateInterval::__wakeupDateInterval::__set_stateDatePeriod::__wakeupDatePeriod::__set_stateLogicException::__wakeupLogicException::__toStringBadFunctionCallException::__wakeupBadFunctionCallException::__toStringBadMethodCallException::__wakeupBadMethodCallException::__toStringDomainException::__ WakeupDomainException::__toStringInvalidArgumentException::__wakeupInvalidArgumentException::__toStringLengthException::__wakeupLengthException::__toStringOutOfRangeException::__wakeupOutOfRangeException::__toStringRuntimeException::__wakeupRuntimeException::__toStringOutOfBoundsException::__wakeupOutOfBoundsException::__toStringOverflowException::__wakeupOverflowException::__toStringRangeException::__wakeupRangeException::__toStringUnderflowException::__wakeupUnderflowException::__toStringUnexpectedValueException::__wakeupUnexpectedValueException::__toStringCachingIterator::__toStringRecursiveCachingIterator::__toStringSplFileInfo::__toStringDirectoryIterator::__toStringFilesystemIterator::__ ToStringRecursiveDirectoryIterator::__toStringGlobIterator::__toStringSplFileObject::__toStringSplTempFileObject::__toStringSplFixedArray::__wakeupReflectionException::__wakeupReflectionException::__toStringReflectionFunctionAbstract::__toStringReflectionFunction::__toStringReflectionParameter::__toStringReflectionMethod::__toStringReflectionClass::__toStringReflectionObject::__toStringReflectionProperty::__toStringReflectionExtension::__toStringReflectionZendExtension::__toStringDOMException::__wakeupDOMException::__toStringPDOException::__wakeupPDOException::__toStringPDO::__wakeupPDOStatement::__wakeupSimpleXMLElement::__toStringSimpleXMLIterator::__ ToStringPharException::__wakeupPharException::__toStringPhar::__destructPhar::__toStringPharData::__destructPharData::__toStringPharFileInfo::__destructPharFileInfo::__toStringCURLFile::__wakeupmysqli_sql_exception::__wakeupmysqli_sql_exception::__toStringSoapClient::__callSoapFault::__toStringSoapFault::__wakeupError

_ _ toString is triggered when the Error object is output as a string, and the message can be xss.

Most exception classes can be used in this way

SoapClient

The _ call method is available

4.2 deserialization character escape

When the content of the serialization string is controllable, if there is an operation on the server to replace the sensitive characters in the serialization string, it may cause deserialization characters to escape.

Serialization string character increment

$taoyi- > id is limited to 100, but $taoyi- > name is controllable and the $taoyi object is serialized and processed by the filter function to replace the sensitive word QAQ with wuwu, and we need to make the final $- > id='3333'.

The result is name=4ut15m 5: "Taoyi": 2: {SJV 4: "name"; SRV 6: "4ut15m"; SJV 2: "id"; SRAR 3: "100";} pass the value name=4ut15mQAQ that contains sensitive words, resulting in" Taoyi "5:" Taoyi ": 2: {SPL4:" name "; SPLR 9:" 4ut15mwuwu "; SDR 2:" id "; SER 3:" 100 ";} you can see SSR 4:" name "; SSR 9:" 4ut15mwuwu " Here the length of the 4ut15mwuwu is 10, which doesn't match the previous SRV 9, so deserialization fails. Here we construct a payload to close the double quotes, name=4ut15mQAQ ", and the result is: ORV 5:" Taoyi ": 2: {SRAV 4:" name "; SRAV 10:" 4ut15mwuwu "; SPLR 2:" id "; SRAV 3:" 100th ";} you can see SRV 10:" 4ut15mwuwu ". The string corresponding to SRAR 10 is 4ut15mwuwu, that is, the double quotation marks we entered close the preceding double quotes, while the serialized double quotes become redundant double quotes. We can escape one character for each sensitive string we enter (a QAQ is entered on it, so we can escape a double quotation mark to close the preceding double quotation mark). Therefore, we can construct payload so that we can control the value of id to achieve the effect of object escape. The figure below is as follows

Payload is name=4ut15mQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQ "; SARV 2:" id "; Svv 4:" 3333 ";}

The construction idea of payload is to specify the string and its length that need to escape first, which is "; payload 2:" id "; SQAQ 4:" 3333 ";} length is 23 and needs to escape 23 characters, so adding 23 characters can satisfy the condition. Serialization string characters are reduced.

In the case of serialization string reduction, the serialization string needs to have at least two controllable points. Here is to replace the sensitive word wuwu with QAQ.

The result is name=4ut15m&xixi=1234 5: "Taoyi": 3: {SRAV 4: "name"; SRV 6: "4ut15m"; SRAV 2: "id"; SRAV 3: "100th"; SRAV 4: "xixi"; SRAV 4: "1234";} the first controllable point name is used as the escape point, and the second controllable point xixi is used as the escape point. Because the attribute id that needs to escape is in front of the xixi, the string corresponding to the attribute id needs to be swallowed by constructing payload at the name. The test passed value name=4ut15mwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwu&xixi=1234 result is: name=4ut15mwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwu&xixi=1234 5: "Taoyi": 3: {SJV 4: "name"; SSR 82: "4ut15mQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQ"; SDR 2: "id"; SRAV 3: "100th"; SDR 4: "xixi"; SRAV 4: "1234";} you can see that the string corresponding to SDR 82 is 4ut15mQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQQAQ "; SSR 2:" id "; SSR 3:" so there are only two attributes left after replacement. The same can be applied to the attribute xixi. If the attribute xixi is not swallowed, the data passed at the xixi will be used as the value of the xixi, which still cannot be achieved. As long as you swallow both id and xixi, you can pass parameters at xixi to reconstruct these two attribute values. As follows

Payload is name=4ut15mwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwuwu&xixi= "; SRV 2:" id "; SRV 4:" 3333 "; SRAV 4:" xixi "; SRV 1:" x ";}

The idea of payload construction is to specify the string that needs to escape, "; payload 2:" id "; SER 4:" 3333 "; SER 4:" xixi "; SER 1:" x ";}, and then confirm the length of the string to be swallowed before the escape string, here it is"; SER 2: "id"; SER 3: "3333"; SER 4: "xixi" S 42: "each wuwu with a length of 38 can swallow one character, so 38 wuwu are needed to swallow the string." 4.3 PHAR protocol utilization

Phar file is the packaged file of php. In php.ini, you can control whether phar file is read-only by setting phar.readonly, and generate phar file if it is not read-only (phar.readonly=Off).

Phar file structure

Four parts, stub, manifest, contents, signature

1.stubphar file flag, must contain, PHP end flag? > can be omitted, but statement Terminator; there can be no more than two spaces between the end of the stub and the end. You should add stub. Phar before generating stub. Other content can also be added before to cause other files, such as GIF89a2.manifest to store phar archive information. Manifest structure is shown below. All unused logos are reserved for future use, and must not be used to store custom information. Use the metadata feature of each file to store custom information about a specific file.

Phar deserialization trigger function

Most of the functions related to file operation in php will deserialize the meta-data part of the phar file when obtaining data through the phar protocol.

Fileatime 、 filectime 、 file_exists 、 file_get_contents 、 file_put_contents 、 file 、 filegroup 、 fopen 、 fileinode 、 filemtime 、 fileowner 、 fileperms 、 is_dir 、 is_executable 、 is_file 、 is_link 、 is_readable 、 is_writable 、 is_writeable 、 parse_ini_file 、 copy 、 unlink 、 stat 、 readfile

An example of generating a phar file is as follows

4.4 PHP reference

& it is both a bit operator and a reference in php (& & is a logical operator). & you can make different named variables point to the same value, similar to an address in C.

References can be used if the following occurs

The _ _ wakeup here does not need to be bypassed, and the values of the two must be equal when $a-> one refers to $a-> two, no matter who makes the change.

The RVOR 2 in the serialization result; that is, the reference.

5. BUGKU consolation Prize

It's an introduction to deserialization.

Hints found in index.php

Download backup file index.php.bak, audit

Write exp directly

Some file reading commands are disabled, and the curve saves the nation as follows.

6. BUUCTFZJCTF 2019 NiZhuanSiWei

Source code

/ / Test site: basic deserialization vulnerabilities, utilization of php pseudo protocol

The first layer if is satisfied by php://input, and file reads useless.php through php://filter.

/ / useless.php

Payload construction

Create a Flag object so that the object's file property is flag.php to submit a serialized string

Hello / / login.php login .bd-placeholder-img {font-size: 1.125remt; text-anchor: middle;} @ media (min-width: 768px) {.bd-placeholder-img-lg {font-size: 3.5remr;}} login UsernamePassword submission without account number? Register

©2018-2019

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.