[Penetration Testing Practice] What backdoors does the PHP language have? and how to use

Internet 2022-03-27 15:25:11 views: null

content

 back door

 Backdoor composed of php.ini

 PHP backdoor composed of .user.ini files

 deserialize

 PHP serialization implementation

 common processors

 serialization format

 private与protect

 PHP deserialization vulnerability

 point of use

 SoapClient native use

 ZipArchive

 Session

 Related CVEs

 CVE-2016-7124

All right. class, class

back door

 Backdoor composed of php.ini

利用 auto_prepend_file 和 include_path

 PHP backdoor composed of .user.ini files

.user.ini runs on all servers running fastcgi.

The use method is the same as php.ini

 deserialize

 PHP serialization implementation

 common processors

There are several types of serialization processing in PHP, namely php, php_serialize, php_binary and WDDX (support needs to be enabled at compile time). The default is php, which can be session.serialize_handlermodified .

If PHP is compiled with WDDX support, only WDDX can be used. WDDX has been deprecated since PHP 7.4. php_serialize is available since PHP 5.5.4. php_serialize simply uses the serialize/unserialize functions directly internally and does not have the limitations that php and php_binary have.

The format of the PHP processor is: key name + vertical bar + value serialized by the serialize() function.

The format of the php_binary processor is: the ASCII character corresponding to the length of the key name + the key name + the value serialized by the serialize() function.

The format of the php_serialize processor is: an array serialized by the serialize() function.

 serialization format

The implementation of php_serialize is php-src/ext/standard/var.cin , the main function is php_var_serialize_intern, the serialized format is as follows:

boolean

    b:<value>;
    b:1; // true
    b:0; // false

integer

    i:<value>;

double

    d:<value>;

NULL

    N;

string

    s:<length>:"<value>";
    s:1:"s";

array

    a:<length>:{key, value};
    a:1:{s:4:"key1";s:6:"value1";} // array("key1" => "value1");

object

    O:<class_name_length>:"<class_name>":<number_of_properties>:{<properties>};

reference

    指针类型
    R:reference;
    O:1:"A":2:{s:1:"a";i:1;s:1:"b";R:2;}
    $a = new A();$a->a=1;$a->b=&$a->a;

 private与protect

Unlike protect variables and public variables, private cannot be set directly.

The private property can only be accessed within the class in which it is defined, and will not be inherited. Adding the class name before the property is %00className%00used to denote that it is private.

The protected attribute can be accessed in the parent class and the child class, and the variable is added %00*%00to mark it as protected.

 PHP deserialization vulnerability

__wakeupPHP will call the / etc function when deserializing __sleep, which may cause problems such as code execution. If there is no related function, the related destructor will also be called when destructing, which will also cause code execution.

Another __toString/ __calltwo functions may also be used.

Among __wakeupthem , it is triggered when deserializing, it is triggered __destructwhen GC is triggered, it is triggered __toStringwhen echo is triggered, and it is triggered __callwhen an undefined function is called.

A simple demo is provided below.

class Demo
{

    public $data;

    public function __construct($data)
    {
        $this->data = $data;
        echo "construct<br />";
    }

    public function __wakeup()
    {
        echo "wake up<br />";
    }

    public function __destruct()
    {
        echo "Data's value is $this->data. <br />";
        echo "destruct<br />";
    }
}

var_dump(serialize(new Demo("raw value")));

output

construct
Data's value is raw value.
destruct
string(44) "O:4:"Demo":1:{s:4:"data";s:9:"raw value";}"

After modifying the serialized string, execute

unserialize('O:4:"Demo":1:{s:4:"data";s:15:"malicious value";}');

output

wake up
Data's value is malicious value.
destruct

Here you can see that the value has been modified.

The above is unserialize()a simple application of . It is not difficult to see that if __wakeup()or __desturct()has sensitive operations, such as reading and writing files and operating databases, the behavior of file reading and writing or data reading can be realized through functions.

So, __wakeup()does adding a judgment in can prevent this vulnerability? In __wakeup()the we add a line of code

public function __wakeup()
{
    if($this->data != 'raw value') $this->data = 'raw value';
    echo "wake up<br />";
}

But in fact, it can still be bypassed. There are wakeup vulnerabilities in PHP5 < 5.6.25 and PHP7 < 7.0.10 versions. When the number of objects in deserialization is not equal to the previous number, wakeup will be bypassed, so the following payload is used

unserialize('O:7:"HITCON":1:{s:4:"data";s:15:"malicious value";}');

output

Data's value is malicious value.
destruct

Here wakeup is bypassed and the value is still modified.

 point of use

 SoapClient native use

The SoapClient class in php can create soap data packets. In non-wsdl mode, when the instance of SoapClient is deserialized, it will make a soap request to the url specified by the second parameter. This feature can be used for SSRF.

 ZipArchive

ZipArchive::open()If the flag parameter in the php native class is set to ZipArchive::OVERWRITE, the specified file will be deleted. This feature can be used to delete files under certain conditions.

 Session

Sessions in PHP are stored as files by default. The files are named with sess_sessionid. When the session is controllable to a certain extent, deserialization can be triggered through the session.

 Related CVEs

 CVE-2016-7124

Before PHP 5.6.25 and before 7.0.10, when the number of properties (variables) of an object is greater than the actual number, it __wakeup()will not be executed.

 【Resource recommendation】

python combat

[Complete source code of 30 cases of actual development of pygame development]

[pygame game development column, get complete source code + tutorial]

CSDN official study recommendation ↓ ↓ ↓

  • The Python full-stack knowledge map from CSDN is too strong, I recommend it to everyone!

 

Guess you like

Origin blog.csdn.net/weixin_42350212/article/details/123191022
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com