Shulou(Shulou.com)05/31 Report--

How to analyze phar deserialization vulnerability attacks and actual combat, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Preface

The phar deserialization vulnerability was exposed a long time ago; because something went wrong at that time, it was impossible to succeed, so I went directly to learn about other vulnerabilities; today, I think it's time to fix this vulnerability.

Causes of loopholes

The phar file stores the user-defined meta-data; in the form of serialization. When the parameters of the file system functions (file_exists (), is_dir (), etc.) can be controlled, with the phar:// pseudo protocol, the deserialization operation can be performed directly without relying on unserialize ().

Principle analysis

The composition of phar

By consulting the manual, it is found that phar is composed of four parts; if you look through the manual, you can see that phar is composed of four parts, namely, stub, manifest describing the contents, the file contents, [optional] a signature for verifying Phar integrity (phar file format only).

1. 0 a stub

The identification function, in the format of xxx, is arbitrary, but it must end with _ _ HALT_COMPILER ();? >, otherwise php will not recognize that this is a phar file

2. 0 a manifest describing the contents

In fact, it can be understood that the phar file is essentially a compressed file, which contains compressed information and permissions, of course, the serialization we need to use is also in it.

The picture is selected from seebug.

3. 0 the file contents

This refers to the contents of the compressed file

4. 0 [optional] a signature for verifying Phar integrity (phar file format only)

Sign, put at the end

Test

Here we quote an example given by Master Happy to generate it.

Then run it under the server and find that the phar file is generated successfully.

Then open the phar file and find that it has been successful; and the data is stored in a serialized way

So since there is serialization, then there must be deserialization, and many file system functions of php parse phar files through the phar:// pseudo-protocol. Deserializes the mate-data.

Falsify phar as other types of documents

We have already introduced the four parts of phar earlier. We have noticed that the first part, stub;, because of this part, even if we modify the phar suffix, the server will still be treated as a phar file when it reads stub; to be more precise, it is the following code; (there is something wrong with the binary compiler, simply look at it in notepad;) you can still find that it is stored in serialized form.

Actual combat

Take a title in a SWPUCTF; if you go in, you will find the inclusion vulnerability, and then read the source code directly, and you will find that the phar is not filtered; and there are hints in the source code, so it is almost a real hammer, that is, the phar deserialization vulnerability.

Analyze the key code directly; class.php

It's obvious that there are three classes here, and that's where the main pop chain is constructed; then the dangerous function file_get_contents () is found; it seems to be using this to read the source code.

Analyze it step by step; first you can see that there is echo; in the C1e4r class, so you need to use echo; to output the string.

Then you see a _ _ toString () method in the show class, which is called automatically when the object is converted to a string; for example, when echo print is made, it is called and a string is returned.

Then audit the Test class and find that the file_get_contents () function is used; step by step, trace back to file_get- > get- > _ _ get (); here, the main thing is to call the _ _ get () method.

So the idea here is almost clear; to put it simply, to call the _ _ get method in the test class, we need to find this method in the show class, because the source attribute is used in this class, so we only need to assign the str ['str'] to the Test class, so triggering the _ _ toString () method needs to use the echo in our first class.

Then construct the pop chain if you have a clear idea.

Exp writing

Generate the phar file, change the suffix to gif, bypass the limit, enter the upload directory after upload (or calculate the file name after upload according to the source code), copy the file name to the window that reads the file, read file=phar://xxxxxx.jpg, and then get the base64 encoding and decoding.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.