Shulou(Shulou.com)05/31 Report--

This article will explain in detail what the deserialization loophole in the Internet means. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Brief introduction:

Deserialization vulnerabilities are based on serialization and deserialization operations. There are user-controllable parameters when deserializing-- unserialize (), while deserialization automatically calls some magic methods. If there are some sensitive operations in the magic methods, such as eval () function, and the parameters are generated through deserialization, then the user can perform sensitive operations by changing the parameters, which is the deserialization vulnerability.

May read the above you still do not understand deserialization vulnerabilities, then we learn the basics of serialization and deserialization, many languages have their own serialization functions and serialization operations, this article we will take the PHP language deserialization vulnerabilities as an example to explain, I believe you will have a new understanding of deserialization vulnerabilities.

Basics: what is serialization and deserialization

Serialization is the process of converting an object's state information into a form that can be stored or transmitted, during which the object writes the current state to a temporary or persistent store. Later, you can recreate the object by reading or deserializing the object state from the store.

To put it simply:

Serialization: the process of converting an object into a sequence of bytes is called object serialization. Deserialization: the process of restoring a sequence of bytes to an object is called deserialization of an object.

Functions for serialization and deserialization in PHP:

What is magic?

Magic method is the method name reserved in the language, and each method will be called automatically during the corresponding operation. The following is explained by the magic method in PHP language.

_ _ construct () is triggered when an object is created and is generally used to initialize an object Automatically trigger _ _ wakeup () when you use serialize () to assign an initial value to the variable _ _ sleep () automatically trigger _ _ destruct () when an object is destroyed, trigger _ _ toString () when a class is used as a string, trigger _ _ invoke () when trying to call an object by calling a function, trigger _ _ call () cannot be called in the context of an object Triggers _ _ callStatic () triggers _ _ get () to read data from inaccessible attributes _ _ set () to write data to inaccessible attributes _ _ isset () to trigger _ _ unset () when calling isset () or empty () to trigger _ _ unset () on inaccessible properties when calling _ _ unset () on inaccessible properties to trigger _ _ unset () when inaccessible methods are called in a static context to trigger _ _ unset () to read data from inaccessible properties _ _ unset () to write data to inaccessible properties _ _ trigger () to trigger _ _ unset () when calling inaccessible methods in a static context.

If you don't understand, here's an example of serialization.

The above is an example of the serialized output of the test class, and the effect is as follows

Examples of vulnerability principles:

In deserialization, the parameter can be controlled by the user, and if there is a harm function in the magic method, a deserialization loophole will occur. Here is the simplest example.

Audit code, summarized as follows

1. The controllable parameter is the get type string parameter.

two。 The backend performs the deserialization operation after receiving the parameters

There is a _ _ wakeup magic method in the 3.test class, and the operation is eval ($id)

So our idea is to construct a serialized string of the test class so that the deserialized value of $id is the operation to be performed, for example, if we want to execute phpinfo (), then we can construct such a string

Orlando 4: "test": 1: {Sriug 2: "id"; Spurl 10: "phpinfo ();"}

The object test will be recreated after deserialization, and the id parameter will revert to the value set in the serialization parameter we submitted, that is, phpinfo (); then we can infer that the deserialized test object is roughly as follows

During the deserialization session, the _ _ wakeup magic method is automatically called, that is, eval (phpinfo ();) is executed.

Vulnerability detection:

The discovery of deserialization vulnerabilities generally requires auditing the source code to find available pop chains.

In order for everyone to understand, the above example is relatively simple, there are loopholes that can be exploited directly in the magic method, and the magic method is automatically called to trigger the loophole, but in practice, there is basically no such simple one. More often, you need to find the same function name to connect the properties of the class with the properties of the sensitive function.

Here are two simple questions to learn how to construct a simple pop chain to exploit deserialization vulnerabilities.

POP CHAIN (POP chain): concept:

Through the user-controllable deserialization operation, in which the triggering magic method is the starting point, the functions in the magic method have functions of the same name in other classes, or other functions that can be called to perform sensitive operations, such as passing, association, etc., then pass parameters to perform sensitive operations, that is,

User-controllable deserialization of → magic methods other functions called in → magic methods → functions of the same name or sensitive operations by passing callable functions →

Instance resolution 1:

Source code:

Code analysis:

First of all, let's look at the most line-limiting operation at the bottom of the parameter data that deserializes GET to, and then execute echo $user_data. Here, if $user_data is an object instantiated by a class, the _ _ tostring () magic method in the object will be triggered.

Secondly, there are three classes in the source code, which are Test1,Test2,Test3, which are analyzed in turn

Test1:

Class Test1 {protected $obj;function _ construct () {$this- > obj = new Test3;} function _ toString () {if (isset ($this- > obj)) return $this- > obj- > Delete ();}}

1. The $obj variable is declared first

two。 There are _ _ construct () and _ _ tostring () magic methods in the class, _ _ construct () method assigns the $obj variable to the instantiated object of the Test3 class, and the _ _ tostring () method determines that if the $obj variable exists, it returns to call the Delete () function in the $obj object.

Test2:

Class Test2 {public $cache_file;function Delete () {$file = "/ var/www/html/cache/tmp/ {$this- > cache_file}"; if (file_exists ($file)) {@ unlink ($file);} return'I am an evil Delete function';}}

1. The $cache_file variable is declared first

two。 The Delete () function is defined. If a file in the defined $file variable exists, the file is deleted and the prompt is returned.

Test3:

Class Test3 {function Delete () {return'I am a safe Delete function';}}

1. The Delete () function is defined, which returns only one sentence, has no sensitive operation, and is a safe function.

POP chain construction:

First of all, the starting point is the _ _ tostring () magic method in Test1, where the Delete () function in $this- > obj is called, and $this- > obj is when the instantiated object triggers the _ _ construct method and takes $this- > obj as the object of instantiating the Test3 class, then the Delete () function in the Test3 class is called at this time, and only a prompt is returned, so the execution flow is as follows

Test1 class → _ _ construct () → $this- > obj=new Test3 → _ tostring () → Test3.Delete method

However, the function Delete () with the same name as Test3 is also defined in the Test2 class, so we can modify the execution flow by constructing specific deserialization parameters, that is, constructing our POP chain, and use Delete () in the Test2 class to perform sensitive operations after deserialization, so that the execution flow is as follows

Test1 class → _ _ construct () → $this- > obj=new Test2 → _ tostring () → Test2.Delete method

Then the construction of the POP chain is to trigger the _ _ tostring () magic method through deserialization and echo, and the Delete () method in Test2 is called in this method, causing the harm of arbitrary file deletion.

Use POC: an example to resolve 2:

[MRCTF2020] Ezpop

Source code: Welcome to index.php

This problem does not use the function of the same name to perform sensitive operations, but uses the transfer between functions and objects to call sensitive functions, resulting in a deserialization vulnerability that can arbitrarily call file containing functions.

This is the end of the article on "what is the meaning of deserialization loopholes in the Internet". I hope the above content can be helpful to you, so that you can learn more knowledge. If you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.