background

Last weekend I received a message about being a safe friend , Let me help you look at one PHP Source file vulnerability , At first I thought he was just boring and trying to attack others , So I just glanced at him and subconsciously told him “ The writing is not standard, but there seems to be no big loopholes ”. Later he told me it was a CTF test questions （ This is the network security competition ）, Only then did I realize that I was a little sloppy , This should touch my knowledge blind spot , Or take it for granted . Certification is needed to deal with this problem .

problem

Problem description

In short , We have obtained a deployment on the server through WEB Access to the PHP The source code file , You need to find a way to attack it to read other files on the target plane .

PHP Source code

<?php
if(!isset($_GET['file'])) {
    
 header('Location: /?file=log.txt');
 die();
}

$file = $_GET['file'];

$re = '/^\w*\.\w*$/m';

preg_match_all($re, $file, $matches, PREG_SET_ORDER, 0);

if(count($matches) != 1) {
    
 die('illegal operation!');
}

echo file_get_contents($file);
?>

Thought analysis

1. From the source code point of view , You want to read other files of the target , comparison preg_match_all function ,file_get_contents More like our goal , And the variables it accepts can just be constructed $_GET['file'] To control .
2. $_GET['file'] Variables only use simple regular checks , So obviously , The solution to this problem should be to construct payload Conduct code vulnerability attacks .
3. From above 2 It seems that , The key to this problem lies in this regularity /^\w*\.\w*$/m 了 , Can you construct the path of other directory files that conform to this rule ?
   • First ,\w Only letters 、 Numbers and _,^ and $ Limits the beginning and end of a string , Therefore, it can be seen that the author of the source file wants to control that only the current directory can be read *.* File format .
   • But there is a big flaw in this rule , It's the last one m,m This means that multiple rows can be matched , In other words, you can control the number and content of a string match by adding a newline character . For example , For example, if there is no m( Regular /^\w*\.\w*$/), Then there is only something like log.log Such a string can match the contents , But with this m after , Such as /www/\nlog.log Such a string can also match the content .( The following is an example )

<?php

$name_1 = "log.log";
$name_2 = "/www/\nlog.log";

$re = '/^\w*\.\w*$/';
preg_match_all($re, $name_1, $matches, PREG_SET_ORDER, 0);
var_dump($matches);
/* array(1) { [0]=> array(1) { [0]=> string(7) "log.log" } } */
preg_match_all($re, $name_2, $matches, PREG_SET_ORDER, 0);
var_dump($matches);
/* array(0) {} */
$re = '/^\w*\.\w*$/m';
preg_match_all($re, $name_1, $matches, PREG_SET_ORDER, 0);
var_dump($matches);
/* array(1) { [0]=> array(1) { [0]=> string(7) "log.log" } } */
preg_match_all($re, $name_2, $matches, PREG_SET_ORDER, 0);
var_dump($matches);
/* array(1) { [0]=> array(1) { [0]=> string(7) "log.log" } } */

4. Of course, the vulnerability is more than that , You can see that the number of matching items in the source code must be 1 The logic of , The combination seems to be suddenly enlightened , This should be the loophole , By constructing 、 The file path with the correct file name is OK .
5. Now that we're here , This matter should not be delayed , We immediately began to construct such file paths ( for example /www/%0a.env) For the request —— However, we all ignore a problem at this time ,%0a(urlencode The newline for ) After being passed in as a path , Line breaks are not file_get_contents Function ignores , So sure enough , Yes warning, No files found .

trouble

Here we are. , In fact, the two of us started a variety of “ make blind and disorderly conjectures ” 了

• “ Since the path cannot be found , Then I set up my own server , Let him read my file remotely is a loophole ”
• “…… What people want to read is the target machine .”
• “……”

look , Unique construction path 、 Use file_get_contents The way to get files has become narrower and narrower .

• “ Speaking of reading remote files , Actually php Read post There is one type of input php://input The way , A similar series php The protocol may meet the following requirements in terms of path format .”
• “ I think it should be very close .”

Trigger from this angle , We found it PHP Pseudo protocol —— Input / Output stream , One of them php://filter The function of is very similar to our requirements ：

php://filter It's a meta wrapper , Designed for filtering applications when data flow is open . This is for the all-in-one （all-in-one） The file function of is very useful , similar readfile()、 file() and file_get_contents(), There is no chance to apply other filters before the data stream content is read .

Unfortunately, we fell into Line breaks cannot be added to the file path In the tip of the ox horn , Until the end, we still couldn't come up with a solution .

answer

The answer to the question is ： php://filter/read=%0aconvert.base64%0a-encode/resource=xxxx

The answer is what we found later , In fact, when we see the answer, we suddenly realize , It is found that our thinking is actually very close , But in the end, I fell into a misunderstanding —— We always firmly believe that what we construct must be and only a complete path , Whether it is a file path or a protocol path .
But you should have noticed , The answer lies in the source resource The previous specifies a convert.base64-encode Filter , The filter name can meet the regular requirements after inserting a newline character , So here resource The corresponding target file path does not need any processing , All that needs to be handled is the name of the filter .

reflection

Is this the end of the problem ？
A careful friend should want to ask questions again ：convert.base64-encode Can I still use the newline character added to ？ The answer is that the filter will report because the path cannot be found warning, But I will still read resource Source , Just don't deal with it . So the answer here can actually be

php://filter/read=%0anystring.anystring%0a/resource=xxxx

Just use the wrap line breaks before and after for regular matching .

Last

If interested students want to try it by themselves , Use the top source code , Set up a local web Just the service , If you have time, you might as well spread it out to see what filters there are 、 Which? php agreement .
I am ashamed to write here , Compared with other languages ,PHP It is the one that has been used for the longest time , But this usage （ I don't know if it's advanced usage ） For the first time . I suddenly envy being a safe classmate , Have real and practical access to all languages 、 The details and core of the technology . In the process of our own learning , A single angle does limit vision and imagination , Occasionally, you may find a different world by looking for similar technical attack and defense or learning from others' ideas of analyzing vulnerabilities .
Mutual encouragement .