Serialization and de-serialization
Overview:
Serialization serialize ()
sequence of said popular point is the string may be transmitted into an object, such as the following is an object:
class S { public $ Test = " Pikachu " ; } $ S = new new S (); // create an object the serialize ($ S); // this object serialization result of the sequence obtained is like this: O: 1 : " S " : 1 : {S: . 4 : " Test " ; S: . 7 : " Pikachu " ;} O: Representative object 1 : represents the object length of the name of a character S: name of the object 1 : represents the object there is a variable s: data type 4: The length of the variable name test: variable name s: Data Type 7 the length of the variable value: Pikachu: variable value
Deserialization to unserialize ()
it is to be reduced to a sequence of the target string, and then continue to use the following code.
to unserialize U = $ ( " O:. 1: " S " :. 1: {S:. 4: " Test " ; S:. 7: " Pikachu " ;} " ); echo $ U -> Test; // result is obtained pikachu
Serialization and de-serialization itself is no problem, but if the content is deserialized user can control , and improper use of a background in PHP magic function, can lead to security problems
__construct () When an object is created is called
Vulnerability For example:
class S{ var $test = "pikachu"; function __destruct(){ echo $this->test; } } $s = $_GET['test']; @$unser = unserialize($a); payload:O:1:"S":1:{s:4:"test";s:29:"<script>alert('xss')</script>";}
(Excerpt from pikachu Platform Overview)
pikachu experiment:
We view the source code, here is the interface can accept a deserialized object
We at ambient root directory, to build a 123.php file, the code is as follows
<?php class S{ var $test = "<script>alert('xss')</script>"; } echo '<br>'; $a = new S(); echo serialize($a); ?>
This file is then accessed through a browser,
We see the source code F12 Open console, copy the contents of the echo, to give payload: O: 1: "S": 1: {s: 4: "test"; s: 29: "<script> alert ( 'xss') </ script> ";}
The resulting payload submitted, deserialized result is a JS pop, and XSS attacks can be carried out after we submitted
TWENTIETH
Overview:
XXE - "xml external entity injection" both "xml external entity injection vulnerability."
Summarize is "the attacker by injecting specified xml entity to the server content, allowing the server to perform the specified configuration causes problems," that server to receive and parse the xml data from the user side, but did not do rigorous security control, leading to an external entity xml injection.
Now many languages inside a corresponding analytic function is disabled by default xml parsing the content of external entities and, thus, avoid direct this vulnerability. With PHP, for example, xml parsing in PHP which use the libxml, which ≥2.9.0 version, is disabled by default xml parsing the content of external entities.
XML grammatical structure is as follows:
The first part: XML declaration section <xml Version =? " 1.0 " ?> Part II: Document Type Definition DTD ! < DOCTYPE note [ ! <- defined in this document is note type of document -> ! <ENTITY the Entity-name the SYSTEM " URI of the / the URL of " > ! <- external entity declarations -> ] > part III: document element <note> <to> Dave </ to> < from > Tom </ from > <head> Reminder </ head> <body> A Good man by You are </ body> </ Note>
External entity references Payload:
<?xml version="1.0"?> <!DOCTYPE ANY[ <!ENTITY f SYSTEM "file:///etc/passwd"> ]> <x>&f;</x>
We began to see pikachu experiment.
This chapter provides a case in order to simulate vulnerability, Pikachu platform manually specify LIBXML_NOENT option opens the xml external entity resolution. Xml parsing in PHP which use the libxml, which ≥2.9.0 version, is disabled by default xml parsing the content of external entities.
Let's submit a normal xml data:
<?xml version = "1.0"?> <!DOCTYPE note [ <!ENTITY hacker "test"> ]> <name>&hacker;</name>
It will define the content of our entity is printed on the front end:
If we submit such a payload below, you can see the contents of a file on the server:
<?xml version = "1.0"?> <!DOCTYPE ANY [ <!ENTITY f SYSTEM "file:///C:/PhpStudy/PHPTutorial/WWW/pikachu/assets/css/ace.min.css"> ]> <x>&f;</x>
SSRF
Overview:
SSRF (Server-Side Request Forgery, server request forgery)
Reasons for its formation are mostly due to the server provides the functionality to get data from other server applications , but does not do strict filtering and restrictions on the destination address, an attacker can pass an arbitrary address its request to make the back-end server initiates , and returns the data to the target address of the request. That is the presence of SSRF server vulnerability obtain information on other application servers as a springboard.
Data flow : the attacker -----> Server ----> destination address
Depending on the function used in the background, and the corresponding impact by the method have not the same
PHP improper use of the following functions will cause SSRF:
file_get_contents ()
fsockopen ()
curl_exec ()
If you must go to the specified address ( "or embedded in the front of the request") for resource requests by backend server for remote users, please do the filtering destination address.
SSRF(curl):
We found a link into the platform, which is a poem.
Observation url found it passes a url to the background,
We look at the source code:
URL received first front and then filtered directly without initialized, then the curl_exec (), returned to the front end parsed.
If you build on your remote server pikuchu, where you can change the URL address on other servers within the network address and port, to detect additional information, such as port open, I tested here do not demonstrate the machine is not networked a.
SSRF(file_get_content):
Let's take a look at the source code, file_get_content can be read on the local and remote files
You can also use the filter to obtain the source code page: http: //192.168.35.132/pikachu/vul/ssrf/ssrf_fgc.php file = php:? //Filter/read=convert.base64-encode/resource=ssrf.php
Then base64 decoding can get the source code page:
http://tool.chinaz.com/Tools/Base64.aspx