Shulou(Shulou.com)05/31 Report--

It is believed that many inexperienced people have no idea about how to find the POP chain in PHP deserialization. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Environment building

Operating environment requirements

PHP > = 7.1.3

OpenSSL PHP Extension

PDO PHP Extension

Mbstring PHP Extension

Installation problem environment

Run the title code

For more information, please refer to https://laravel-china.org/docs/lumen/5.7/installation/2402

PS: update the docker environment https://github.com/phith0n/code-breaking made by P Niu

Leak point

In the routes/web.php file, the route of the web program is defined, and when we access the http://website/server/editor with the GET or POST method, the program will call the main method in the app/Http/Controllers/EditorController.php class.

If we go on to look at the app/Http/Controllers/EditorController.php file, we will soon find that the $url variable in the download method is used in the file_get_contents function without any processing, and the code for the download method is as follows:

At this point, we consider whether the $url variable is controllable, and if so, we can use phar deserialization. Looking back for the source of the $url variable, we will find that in the doCatchimage method, the value of the variable comes from the $sources variable. The $sources variable is determined by the source parameter passed by the user (the $url variable can be controlled through http://website/server/editor/?action=Catchimage&source[]=phar://xxx.gif). The related code is as follows:

Next, we need to look for class methods that can be exploited, and then trigger the vulnerability through phar deserialization.

Learn about PHPGGC

Before looking for pop chains, we might as well take a look at the four existing payload generation methods for Laravel framework RCE in phpggc, so that we can find out the pop chain of this question more quickly. The four payload generation methods of Laravel framework RCE are as follows:

The first kind

When it is deserialized, the class method call procedure is as follows:

The second kind

When it is deserialized, the class method call procedure is as follows:

The third kind

When it is deserialized, the class method call procedure is as follows:

The fourth kind

When it is deserialized, the class method call procedure is as follows:

Here I choose the first kind of phar deserialization execution result diagram (topic environment is PHP7.1.16):

However, there are some additional limitations in the environment of this topic, such as PHP version 7.2.14, and the following functions and classes are disabled (this can be seen by using phar to generate phpinfo functions through phpggc's first Laravel framework, RCE):

Disable_functions:system,shell_exec,passthru,exec,popen,proc_open,pcntl_exec,mail,apache_setenv,mb_send_mail,dl,set_time_limit,ignore_user_abort,symlink,link,error_logdisable_classes:GlobIterator,DirectoryIterator,FilesystemIterator,RecursiveDirectoryIterator

Because in the PHP7.x version, many functions prohibit dynamic calls, coupled with the above restrictions, we also need to find other points of use, combined with the above POP chain, to complete writing shell.

Start looking for pop chains

We can find that the above four RCE entry points all start with the _ _ destruct method of the PendingBroadcast class, so we focus on searching for the dispatch method and the _ _ call method. After some search, it is found that the _ _ call in the ValidGenerator class is easier to use.

We can see that the call_user_func_array function is called first in its code, and then the execution result of the call_user_func_array function is passed into the call_user_func function. As long as we can control the execution result of the call_user_func_array function, the two parameters of the call_user_func function can be controlled, so we can call any class method.

We then search for classes that can be used to control the execution results of the call_user_func_array function. Here I find the _ _ call method of the DefaultGenerator class, and we can see that the return value $this- > default is fully controllable.

Now both parameters in call_user_func (res) are controllable. So if we want to write shell, we have to call the file_put_contents function, and this function requires two parameters, so we can't use this function directly through the call_user_func function. We need to use the file_put_contents function through the call_user_func_array function, such as: call_user_func_array ('file_put_contents',array (' shell.php','test')).

By directly searching the call_user_func_array function, we will find two class functions that are easier to use. But we can't take advantage of the first ClosureWrapper class here, so we have to use the invoke method of the ReturnCallback class. The specific code is as follows:

It is obvious that both parameters of the invoke method can be controlled, and now all we have to do is construct an Invocation class object. After searching, we will find that Invocation is an interface, so we can find its implementation class. Here I found the StaticInvocation class to implement the appeal function, and the code is as follows:

In this way, our entire POP chain is constructed. Here is the exp:

{{; (,) {;}; {{; () {;}} { (,) {;}}; {{; () {;}; {{; () { }; {; (,); (, (,); (,); () ():; (); (,); (); (); finally

Let's use the following picture to sort out the call process of the entire POP chain.

After reading the above, have you mastered how to find the POP chain in PHP deserialization? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.