PHP deserialization vulnerability reproducibility
Test code
We run the above code files, to prove that the function is called:
No objects should be created, so the constructor __construct () will not be called, but __wakeup () with __destruct () function is invoked, if these functions which contains the malicious code is what will happen?
Use scene
__wakeup() 或__destruct()
Can be seen from the front, (after) unserialize lead to __wakeup () or __destruct () is called directly, without additional intermediate process. So the ideal situation is that some vulnerabilities / hazards code __wakeup () or __destruct (), so that when we can control the serialized string to trigger them directly. Here an experiment for __wakeup () the scene.
The basic idea is to build a good local environment, we want to get serialized string by serialize (), then send it in. Will pass the __wakeup () is written to the $ test when shell.php, then call to unserialize (); known by the source, the value of the test object is assigned "<php phpinfo ()??>". To this end we write a php script:
operation result:
We look shell1.php:
Successful use of anti-serialization loophole to get phpinfo () information
But mostly specific environmental codes such as the following, we test our controllable parameters
We pass parameters test = O: 7: "bmjoker": 1: {s: 4: "test"; s: 18: "<php phpinfo ();??>";}
While also successfully written shell.php
Successful exploitation of the vulnerability php deserialization
Use of other Magic function
But if a magic function unserialize () and does not directly call, such as the previously mentioned __construct (), is not no use value? Definitely not. PWN is similar to the ROP, sometimes when deserializing an object, which it calls __wakeup () call went in the other objects, which can be traced by using a time of "gadget" to find points of vulnerability .
Here we test to pass after the constructed sequence strings, the automatic call deserializing the __wakeup () function, so new new joker () will automatically call the __construct () method of the object in the joker, thereby < ?? php phpinfo ();> write to shell.php in:
We pass parameters test = O: 7: "bmjoker": 1: {s: 4: "test"; s: 18: "<php phpinfo ();??>";}
Meanwhile she.php also successfully written:
Using the method of ordinary members
Speaking in front of use are based on "automatic call" the magic function. But ordinary method vulnerability / risk of code exists in the class, you can not expect the "automatic call" to achieve their goals. At this time using the following method, to find the same function name, the sensitivity function and classes together.
The intention, after the new lmjoker a new object, call __construct (), which has a new bmjoker object. At the end of calls __destruct (), which calls the action (), so that the output bmjoker
The following is the use of the process. Construction serialization
get:
5.php passed test parameters, the use of success