content
PHP backdoor composed of .user.ini files
PHP serialization implementation
PHP deserialization vulnerability
All right. class, class
back door
Backdoor composed of php.ini
利用 auto_prepend_file 和 include_path
PHP backdoor composed of .user.ini files
.user.ini runs on all servers running fastcgi.
The use method is the same as php.ini
deserialize
PHP serialization implementation
common processors
There are several types of serialization processing in PHP, namely php, php_serialize, php_binary and WDDX (support needs to be enabled at compile time). The default is php, which can be session.serialize_handler
modified .
If PHP is compiled with WDDX support, only WDDX can be used. WDDX has been deprecated since PHP 7.4. php_serialize is available since PHP 5.5.4. php_serialize simply uses the serialize/unserialize functions directly internally and does not have the limitations that php and php_binary have.
The format of the PHP processor is: key name + vertical bar + value serialized by the serialize() function.
The format of the php_binary processor is: the ASCII character corresponding to the length of the key name + the key name + the value serialized by the serialize() function.
The format of the php_serialize processor is: an array serialized by the serialize() function.
serialization format
The implementation of php_serialize is php-src/ext/standard/var.c
in , the main function is php_var_serialize_intern
, the serialized format is as follows:
boolean
b:<value>;
b:1; // true
b:0; // false
integer
i:<value>;
double
d:<value>;
NULL
N;
string
s:<length>:"<value>";
s:1:"s";
array
a:<length>:{key, value};
a:1:{s:4:"key1";s:6:"value1";} // array("key1" => "value1");
object
O:<class_name_length>:"<class_name>":<number_of_properties>:{<properties>};
reference
指针类型
R:reference;
O:1:"A":2:{s:1:"a";i:1;s:1:"b";R:2;}
$a = new A();$a->a=1;$a->b=&$a->a;
private与protect
Unlike protect variables and public variables, private cannot be set directly.
The private property can only be accessed within the class in which it is defined, and will not be inherited. Adding the class name before the property is %00className%00
used to denote that it is private.
The protected attribute can be accessed in the parent class and the child class, and the variable is added %00*%00
to mark it as protected.
PHP deserialization vulnerability
__wakeup
PHP will call the / etc function when deserializing __sleep
, which may cause problems such as code execution. If there is no related function, the related destructor will also be called when destructing, which will also cause code execution.
Another __toString
/ __call
two functions may also be used.
Among __wakeup
them , it is triggered when deserializing, it is triggered __destruct
when GC is triggered, it is triggered __toString
when echo is triggered, and it is triggered __call
when an undefined function is called.
A simple demo is provided below.
class Demo
{
public $data;
public function __construct($data)
{
$this->data = $data;
echo "construct<br />";
}
public function __wakeup()
{
echo "wake up<br />";
}
public function __destruct()
{
echo "Data's value is $this->data. <br />";
echo "destruct<br />";
}
}
var_dump(serialize(new Demo("raw value")));
output
construct
Data's value is raw value.
destruct
string(44) "O:4:"Demo":1:{s:4:"data";s:9:"raw value";}"
After modifying the serialized string, execute
unserialize('O:4:"Demo":1:{s:4:"data";s:15:"malicious value";}');
output
wake up
Data's value is malicious value.
destruct
Here you can see that the value has been modified.
The above is unserialize()
a simple application of . It is not difficult to see that if __wakeup()
or __desturct()
has sensitive operations, such as reading and writing files and operating databases, the behavior of file reading and writing or data reading can be realized through functions.
So, __wakeup()
does adding a judgment in can prevent this vulnerability? In __wakeup()
the we add a line of code
public function __wakeup()
{
if($this->data != 'raw value') $this->data = 'raw value';
echo "wake up<br />";
}
But in fact, it can still be bypassed. There are wakeup vulnerabilities in PHP5 < 5.6.25 and PHP7 < 7.0.10 versions. When the number of objects in deserialization is not equal to the previous number, wakeup will be bypassed, so the following payload is used
unserialize('O:7:"HITCON":1:{s:4:"data";s:15:"malicious value";}');
output
Data's value is malicious value.
destruct
Here wakeup is bypassed and the value is still modified.
point of use
SoapClient native use
The SoapClient class in php can create soap data packets. In non-wsdl mode, when the instance of SoapClient is deserialized, it will make a soap request to the url specified by the second parameter. This feature can be used for SSRF.
ZipArchive
ZipArchive::open()
If the flag parameter in the php native class is set to ZipArchive::OVERWRITE
, the specified file will be deleted. This feature can be used to delete files under certain conditions.
Session
Sessions in PHP are stored as files by default. The files are named with sess_sessionid. When the session is controllable to a certain extent, deserialization can be triggered through the session.
Related CVEs
CVE-2016-7124
Before PHP 5.6.25 and before 7.0.10, when the number of properties (variables) of an object is greater than the actual number, it __wakeup()
will not be executed.
【Resource recommendation】
-
Penetration testing dedicated system
- kali-linux-e17-2019.1a-amd64.iso system image
- kali-linux-e17-2019.1a-amd64.iso system image_kalilinux image-Linux documentation resources-CSDN download
- kali-linux-2018.4-amd64 operating system
- kali-linux-2018.4-amd64 operating system_amdkalilinux-Linux documentation resources-CSDN download
- manjaro-xfce-17.1.7-stable-x86_64.iso system image
- manjaro-xfce-17.1.7-stable-x86_64.iso system image _manjaro image download, manjaro system download-Linux documentation resources-CSDN download
- WiFi dedicated penetration system nst-32-11992.x86_64.iso operating system image
- nst-32-11992.x86_64.iso operating system image.zip_Commonly used password cracking tools explanation and actual combat-Linux documentation resources-CSDN download
- Parrot-security-4.1_amd64.iso OS image
- Parrot-security-4.1_amd64.iso operating system image _ParrotSecurity-Linux documentation resources-CSDN download
- manjaro-xfce-17.1.7-stable-x86_64 operating system
- manjaro-xfce-17.1.7-stable-x86_64 operating system _manjaroxfce installation tutorial - Linux documentation resources - CSDN download
- cyborg-hawk-linux-v-1.1 operating system
- cyborg-hawk-linux-v-1.1 operating system _cyborghawk virtual machine installation tutorial - Linux documentation resources - CSDN download
-
Penetration testing related tools
- Penetration Testing Practice Column
- [Kali common tools] Internet behavior monitoring tool
- Internet Behavior Tools_Commonly used password cracking tools explanation and actual combat
- [Kali common tools] capture tool Charles Windows 64-bit free version
- Packet Capture Tool CharlesWindows64 Free Edition_Commonly used password cracking tools to explain and combat
- [Kali common tools] stamping tool stamp.zip
- Stamp tool stamp.zip_intext:LexSaints-Manufacturing document resources-CSDN download
- [Kali common tools] brutecrack tool [WIFIPR Chinese version] and wpa/wpa2 dictionary
- Brutecrack tool [WIFIPR Chinese version] and wpa/wpa2 dictionary_wifipr tutorial-other document resources-CSDN download
- [Kali common tools] EWSA 5.1.282-Breaking tool
- [Kali common tools] EWSA5.1.282 - package breaking tool _kali running package tool - management software documentation resources - CSDN download
- [Kali common tools] Realtek 8812AU KALI network card driver and installation tutorial
- [Kali common tools] Realtek8812AUKALI network card driver and installation tutorial
- [Kali common tools] Wireless signal search tool _kali update
- [Kali common tools] Wireless signal search tool _kali update _kali update-Internet document resources-CSDN download
- [Kali common tools] insider signal test software _kali common tools
- [Kali common tools]inssider signal test software_kali common tools-network management software documentation resources-CSDN download
- [Kali common tools] MAC address modification tool to protect the terminal from exposure
- [Kali common tools] MAC address modification tool to protect the terminal from exposure_mac modifier-Linux documentation resources-CSDN download
- [Kali common tools] Script management tools php and jsp pages receive command parameters and execute them on the server side
- Script management tools php and jsp pages receive command parameters and execute them on the server side_intext:LexSaints-Network Security Documentation Resources-CSDN Download
- Java implements photo GPS positioning [complete script]
- ReadPicExif.zip-Java document class resource-CSDN download
- Python implements photo GPS positioning [complete script]
- Python locates the exact location of the photo complete code script _ how to locate the location through the photo
- Goddess forgets album password python20 lines of code to open [full script]
- The goddess forgot the album password python20 lines of code to open.py_keepalive_timeout-Python document resource-CSDN download
- Python modify the background color, size, background, and cutout of the ID photo [full source code]
- Python modify the background color, size, background, and cutout of the ID photo [complete source code] _python ID photo color change-Python documentation resource-CSDN download
python combat
- [python combat] ex-girlfriend wedding, python cracked the WIFI at the wedding site and changed the name to
- [python combat] The encrypted "520 happy.pdf" sent by my ex-girlfriend, after I cracked it with python, I found that
- [python combat] Last night, I used python to take a selfie with the ID card of the lady next door, and found that ...
- [python combat] girlfriend working overtime in the middle of the night to send selfie python boyfriend found shocking secret with 30 lines of code
- [python combat] python you TM is too skinny - just 30 lines of code can record every move of the keyboard
- [ python combat] I forgot the password of the goddess album, I only wrote 20 lines of code in Python~~~
[Complete source code of 30 cases of actual development of pygame development]
[pygame game development column, get complete source code + tutorial]
- Let's learn pygame together, 30 cases of game development (2) - tower defense game
- Let's learn pygame together, 30 cases of game development (4) - Tetris game
- Penetration Testing Practice Column
- Windows AD/Exchange Management Column
- Linux high-performance server construction
- PowerShell Automation Column
CSDN official study recommendation ↓ ↓ ↓
- The Python full-stack knowledge map from CSDN is too strong, I recommend it to everyone!