Vulnerability Analysis caused by unserialize function in PHP source code

0x01 unserialize function concept

First, let's take a look at the official explanation: unserialize () operates on a single serialized variable and converts it back to the PHP value. The returned value is the converted value, which can be integer, float, string, array, or object. If the passed string cannot be deserialized, FALSE is returned. If the deserialized variable is an object, PHP automatically tries to call the _ wakeup () member function (if any) after the object is successfully re-constructed ).

According to the official explanation provided by PHP, we can understand that the unserialize function corresponds to the serialize function. The two functions are to serialize and deserialize variables.

Why is variable serialization required? During Variable transfer, variable values may be transferred across script files. Imagine how to perform this operation if a script wants to call the variables of the previous script, but the previous script has been executed and all the variables and content have been released? Is it necessary to keep repeating the previous script and wait for the subsequent script to be called? This must be unrealistic.

Serialize and unserialize solve this problem. serialize can convert a variable to a string and save the value of the current variable during the conversion; unserialize can convert the string generated by serialize back to the variable.

0x02 Exploitation

Before talking about problems caused by incorrect use of unserialize, we will introduce the working process of unserialize. Before unserialize returns a variable, it creates a variable based on the variable information in the string generated by serialize and assigns a value to it.

The unserialize condition must meet the following requirements,

1. The parameters of the unserialize function are controllable.
2. There is a constructor, destructor, and _ wakeup () function in the script that contains the class for writing data to the PHP file.
3. The written content requires the value of the member variable in the object.

The idea is to construct a class with the same name as the condition class in the script locally and assign values to the member variables that can be written into the php file. The content is the php script code to be executed (for example: phpinfo ()). Then, instantiate the class locally and call the serialize function to convert the instantiated object to a string. Finally, pass the obtained string as the unserialize parameter.

Next we will use a local experiment to see what the final effect is.

 
Through the above Code, we will familiarize ourselves with the unserialize workflow. Line 14-17 code will generate an object of class a $ class and change the value of its member variable test to test, convert the object and then destroy the object. The following 18-19 rows restore the original object through unserialize, assign the object to the variable $ class_unser, and finally print the value of the original member variable, so that we can check whether the restored content is the same as the previously destroyed content.

 
We can see that the value of the restored object after unserialize is the same as that of the previous object.

Next we will modify this code and use it as the vulnerability code to see how to use unserialize to achieve the attack effect. The code is modified as follows,
 
This is a problematic piece of code. Its function is to deserialize the strings passed in through the GET method. In addition, it provides a class named a. The destructor of this class will create a file named 123. php and write the value of the internal Member test in it. Finally, to prove the effect, I included the file generated by the destructor.

The idea of using this question is to imitate a Class a and give the test code to the member variable test. <? Php phpinfo ()?>, Instantiate a Class a object and serialize it as follows,
 
The execution result is www.2cto.com.
 
Next, we will pass the serialized string as the GET variable to the problematic script. Let's take a look at the running result.
 

0x03 Summary

The Unserialize function is frequently used in php code development. During code auditing, it is found that programs are convenient to transmit parameters, the serialized string is encrypted with base64 again to prevent the string from being filtered by magic_gpc. However, it is also convenient for attackers to bypass magic_gpc to submit attack code.

How can we protect or prevent such problems? We can prevent and defend against the exploitation conditions proposed in the previous chapter.

1. strictly control the parameters of the unserialize function and insist that the information entered by the user is unreliable.

2. Check the variable content after unserialize to ensure that the content is not contaminated.