Use phar implement php deserialization command execution vulnerability reproduction

Others 2019-09-03 20:38:41 views: null

Use phar implement php deserialization command execution (test environment to reproduce)

Foreword

Speaking generally deserialization vulnerability, the first reaction is to unserialize () function. However, security researcher Sam Thomas shared the topic "It's a PHP unserialization vulnerability Jim , but not as we know it", the use of meta-data serialized form phar pseudo-protocol sends the user to customize the storage of this feature, extended the anti-sequence php of the attack surface .

phar introduction

In simple terms is that php phar archive. It can archive multiple files into a single file, but without being able to unpack and execute php access, and file: // php: // and the like, but also a flow wrapper.

phar structure consists of four parts

stub phar file identifier in the format xxx <php xxx;? __HALT_COMPILER ();?>;

manifest file attribute information such as compression, storage in a sequence;

contents compressed content file;

signature signature, at the end of the file;

There are two key points, one identification document, must __HALT_COMPILER ();?> At the end, but not the contents of the previous limit, which means we can easily fake a picture file or pdf file to bypass some upload limit; Second deserialized, meta-data information stored in a sequence of phar stored, when the file manipulation functions by phar: // dummy protocol data file is parsed phar deserialized, and this had a lot of file manipulation functions .

Above Taken by: PHPGGC understand PHP deserialization vulnerability.

https://kylingit.com/blog/%E7%94%B1phpggc%E7%90%86%E8%A7%A3php%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/

Reproduction process

Phar file generation

According to the file structure of our own to build a phar file, php built a Phar class.

Fr_genkfp

 

 

Evil.class.php

 

 

You will get an error when run directly

 

 

The reason: the need to php.ini in phar.readonly set off. (I wasted a lot of time on this, the configuration file must be changed after save, then restart the server)

 

 

After performing a generating vul.phar, opened in binary editor shown in FIG.

 

 

 

Can be found from FIG, meta-data already exists in file phar serialized form.

Explain: in fact, the sequence of commands to be executed is stored in compressed file phar

 

Deserialization

Of a corresponding sequence, there is certainly deserialization operation. phpFile system functions in large part by phar://parsing, exists for meta-dataoperating deserialized.
Test environment as follows: test.php

 

 

Access test.php, http://127.0.0.1/test.php?url=phar://vul.phar, get map

 

 

 

execution succeed.

defense

  1.  When the file system parameters controlled function, the parameters of strict filtering.
  2.  Strict check the contents of the uploaded file, rather than just checking the file header.
  3. Execute commands to disable the system in the conditions permit, the risk of the function code.

 

Guess you like

Origin www.cnblogs.com/zy-king-karl/p/11454609.html
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com