Went to quit gold and three silver four seasons, many small partners are beginning to prepare for job interviews, Xiao Bian gave you today share a common interview questions safety net: PHP deserialization vulnerability.
While PHP deserialization exploit conditions are harsh, but once utilized will have very serious consequences, so many companies are more concerned about this skill point, we must grasp the small partners Oh.
PHP serialization and de-serialization Introduction
What is the serialization and de-serialization
Wikipedia so defined: the sequence of (serialization) in computer science data processing means to convert the data structure or object state to be desirable with a format (e.g., a separate file, stored in a buffer, or sent via a network) to in the same or a subsequent left to another computer environment, the process can revert to the original state.
Concept is readily understood, in fact, the data into the data structure of a reversible nature, the reverse process is called deserialization.
Then the serialization and de-serialization of what use is it?
for example:
For example: Now we will buy on Taobao table, the table of this very irregular things, how to transport from one city to another, this time it usually removed to the board, and then loaded into inside the box, you can express mailed, this process is similar to our process of serialization (data into the form may be stored or transmitted). When the buyer received the goods, you need to own these boards are assembled into a table, the way this process is like de-serialization process (converted into the original data objects).
That is, serialization is to facilitate the transmission and storage of data.
In PHP applications, serialization and de-serialization is generally used as a cache, such as the session cache, cookie and other.
Common serialization format:
- Binary format
- Byte array
- json string
- xml string
PHP serialization and de-serialization
PHP implement serialization and deserialization by string serialize (mixed $ value) and mixed unserialize (string $ str) two functions.
The following is a typical PHP magic methods deserialization vulnerability that may be used:
void __wakeup ( void )
unserialize () checks to see if there is a _wakeup () method. If there is, it will first call _wakeup method, resource objects need to prepare in advance.
void __construct ([ mixed $args [, $... ]])
Class has a constructor will call this method each time you create a new object.
void __destruct ( void )
Destructor references are deleted, or when the object is explicitly destroyed at all to an object.
public string __toString ( void )
the __toString () method is used as a class is how the string should respond. For example, echo $ obj; what should be displayed.
This method must return a string, otherwise it will issue a E_RECOVERABLE_ERROR level of fatal error.
PHP deserialization vulnerability
Causes of Vulnerability
PHP deserialization vulnerability, also known as PHP objects injection, because the program to input data due to improper handling.
Look at an example:
In this example, the destructor will echo \ (test value, we can construct an object, control \) values of the test, data flow control purposes, implemented using deserialization vulnerability.
Construction process is as follows:
Use
** a, __ wakeup () to bypass **
(CVE-2016-7124)
Deserialization, if the object attribute value indicating the number larger than the number of real property will skip the __wakeup () is executed.
Affected:
- PHP before 5.6.25
- 7.x before 7.0.10
DEMO as follows:
Second, the object constructor injection
When the target object is private, protected constructor when modified.
Sample code:
The method of using the same name
In this example, class B and class C has the same name as a method of action, we can construct a target object, such that the destructor calls the action method of class C, arbitrary code execution.
Structure your code:
Three, Session deserialization vulnerability
PHP Session after the sequence after storage, then deserialized reading.
Related:
session.save_path = "" // set the session storage path
session.save_handler="" //设定用户自定义存储函数,如果想使用PHP内置会话存储机制之外的可以使用本函数(数据库等方式)
session.auto_start boolen //指定会话模块是否在请求开始时启动一个会话默认为0不启动
session.serialize_handler string//定义用来序列化/反序列化的处理器名字。默认使用php
PHP中有三种序列化处理器,如下表所示:
示例代码:
命名为sess_Session_id。
存储内容为序列化后的session:test|s:4:"test";
不同处理器的格式不同,当不同页面使用了不同的处理器时,由于处理的Session序列化格式不同,就可能产生反序列化漏洞。
下面演示漏洞利用:
该页面中有类demo3,开启session,并用php处理器处理session。
通过session.php设置session,通过generate.php构造实例。
由于session.php与demo3.php采用的序列化处理器不同,我们可以构造“误导”处理器,达到漏洞利用的目的。
实例构造:
访问demo3.php成功创建了一个类demo3的实例。
四、PHAR利用
1、PHAR简介
PHAR (“Php ARchive”) 是PHP里类似于JAR的一种打包文件,在PHP 5.3 或更高版本中默认开启,这个特性使得 PHP也可以像 Java 一样方便地实现应用程序打包和组件化。一个应用程序可以打成一个 Phar 包,直接放到 PHP-FPM 中运行。
2、PHAR文件结构
PHAR文件由3或4个部分组成:
(1)stub //PHAR文件头
stub就是一个简单的php文件,最简文件头为:
<?php __HALT_COMPILER( );?>是可有可无的,若使用?>,则;与?>间至多一个空格。
文件头中必须包含__HALT_COMPILER();除此之外没有限制。(PHP通过stub识别一个文件为PHAR文件,可以利用这点绕过文件上传检测)
(2)manifest describing the contents //PHAR文件描述该部分存储文件名、文件大小等信息,如下图所示。
图中标出的地方,存储了经serialize( )的Meta-data,有序列化过程必有反序列化过程,这就是我们的注入点。
(3)the file contents
PHAR文件内容
(4)[optional] a signature for verifying Phar integrity (phar file format only) //可选的签名部分,支持MD5和SHA1
3、攻击方法
2018年Black Hat研究院Sam Thomas的议题:
It’s a PHP unserialization vulnerability Jim, but not as we know it提供了一种新的php反序列化攻击姿势。PHAR文件的Meta-data可以是任何能够序列化的PHP对象,当PHAR文件被任何文件系统函数首次通过phar://协议解析时Meta-data部分会被反序列化,这个反序列化过程就是我们的攻击点,Meta-data部分填充payload。
漏洞利用条件:
在目标系统上投放一个装在payload的可访问的PHAR文件,通过文件系统函数利用phar://伪协议解析目标PHAR文件。
下面演示利用过程:
先创建一个PHAR文件。
注意:要将php.ini中的phar.readonly选项设置为Off,否则无法生成phar文件。
访问phar.php,在同目录下生成phar.phar文件。
箭头标出Meta-data部分,可以看到为序列化后结果。
输出了之前打包的phar文件中,test.txt文件内容,并成功实例化TestObject对象,调用了析构函数。
Because PHP only by stub portion of the file to determine whether PHAR file, we can add the file header, modify the suffix way to bypass the upload test.
Sample code:
That's all for today, hope to help all of us to learn, if you want to learn about other skills or tools, you can leave a message to us, we will try to meet the demands of everyone, small partners willing to go more in the way Network Security the better!