Chapter IX php deserialization, XXE , SSRF
1.php deserialization principle and demonstration
Write a file
The following first comment out
Access it
The value that the object is that the string just defined the serialization. After deserialization can be obtained directly variable Pikachu .
This defines an object, which defines a variable, uses a magic function, when this variable is destroyed, it will automatically execute this sentence. Background defines an interface, the interface via a GET request to obtain data, and this data is deserialized. Deserialized content is passed in through the front, this time on the formation of a security problem.
Problem is, if you pass the front end of a sequence of malicious content, when the background receives this data, this content will be deserialized. Deserialization is the object created will be destroyed. This process will be to call the magic method.
This example is, we define a variable, the variable is the JavaScript code that will be read later deserialized, the deserialization will simultaneously create and destroy objects, and destruction will be called magic code that causes enter this content will echo to the front, this code will be executed in the front end.
Scene demo
Random test
Construction about
We can write a class, then define a variable, the variable's name written some malicious JavaScript code.
have a test
Next time you access it
Emergence of pop
Look at the source code
This is a sequence of good content
We see this content submission interface
Successfully ejected
In fact, serialized content through a de-serialization interface caused xss execution.
Look at the code
This defines a construct magic function, automatically executed when the class is created.
This vulnerability is usually done using a code audit (black-box testing, etc.)
principle:
In front of the post request, the request will be de-serialization, deserialization when the objects will be created, and it will call this magic function, the variable will be passed in echo to the front.
2.XXE vulnerabilities principles and presentation
To a xml document to him by the parameters passed to the function, it can be parsed into the document php an object inside. It can thus be obtained by reading the contents of the object inside the code behind xml some data inside.
Scene demo
Data may be transmitted through the rear end of the front end
Look at the code behind
By post Request pass over the distal xml data, the data entered the function, the function of this xml external entity parses content. Then returned to the front end of the parsed data.
Try starting a normal
Directly to the DTD defined inside hacker values returned back. This is a normal submission
In DTD define an external entity, through the SYSTEM to specify an external entity
Directly to an external entity which passed in the file contents of some of the goals of this agreement specified file return back to the inside of the sensitive data is read out.
In an interview with the backend xml time data, first opened external entity resolution, no second pass over the data to do any filtering, leading to problems.
3.SSRF vulnerability principle and demonstration (can be used to play within the network)
These common functions is through a number of network protocols, remote access to resources on the target server.
Scene demo
You can find it pass a url to the background
Look at the code behind
Direct access to the front end side will pass over the URL , directly curl_init () made of an initialization, and then finally by the curl_exec () to request it, and return the request to the data returned to the front end.
Try to pass one other address
Directly to the Baidu shows up
This is not the browser directly to the request of Baidu, but the browser this parameter spread to the back-end, back-end server through curl_exec () this method to request Baidu, Baidu and then return the data returned to the front.
Means that we can by SSRF to be associated with the detection of the same network server vulnerability of other back-end servers
We HTTP a visit to this measured about 1.15 on the machine 22 port number if open directly to the relevant information is returned back.
Through this loophole to 1.4 with a network server to which the probe is scanned in order to get more network resources, and then further attacks.
another example
Is a pass a tag address corresponding to a
Look at the back-end code
Different functions used herein, is file_get_contents () function. This function can be read local files can also be read on the remote file.
Also supports a number of relevant network protocols.
URL for a try
The same also by http to Baidu's back-end server resources through a request to return to the front.
This place also can be related to the internal network by detecting back-end support of certain protocols.
This is also supported by php method built, come and read the source code. ( PHP is a back-end)
For reading files in the specified destination path, then into base64-encode encoding.
Files directly base64 encoded to return to the front end, directly to this code by base64 decoding can know php what source code file corresponding to Yes.