Let's talk. PHP deserialization Vulnerability November 4, 2016 a deserialization vulnerability is common in various languages, and here's a quick chat about PHP's deserialization Vulnerability (PHP object injection). The first time you know the hole or on a CTF, simply record your personal understanding and simple analysis of cve-2016-7124. Serialization and deserialization PHP allows you to save an object for later reuse, which is called serialization, and serializing an object will save all of the object's variables, but it will not save the object's methods, only the name of the class is saved. First look at exactly what it looks like name. ' s phone is '. $this->phone; }} $usr = new info (); $usr->printdata (); Echo serialize ($USR); > At this time output church's phone is 111111o:4: "Info": 2:{s:4: "Name"; S:6: "Church"; s:5: "Phone"; s:6: "111111";} You can see that there is nothing related to the class, only the data is data. O:4: "Info": 2:{s:4: "Name"; S:6: "Church"; s:5: "Phone"; s:6: "111111";} O:4: "Info": 2: The parameter type is an object, and the array is a. The class name is info, there are two variables (parameter s:4: "Name"; S:6: "Church"; s: the variable type is a string (number is i), the length is 4, named name, the value is a string of length 6 churchs:5: "Phone"; s:6: "111111"; A string of length 5, the value of which is 6 string 111111 deserialization is the conversion of the serialized string back to an array object. Because of object instantiation and auto-loading, deserialization can cause code to be loaded and executed. Take a look at the deserialization printdata (); the output church's phone is 111111 deserialization vulnerability now that we know how serialization works, how do we use it? Because the deserialized object's value is controllable, if there is a magic method in the deserialization object, and the code in the Magic method can be controlled by us, the vulnerability arises, depending on the code can lead to various attacks, such as code injection, SQL injection, directory traversal and so on. Impact: Joomla Anti-serialization vulnerability, SugarCRM v6.5.23 PHP Object Injection Vulnerability, WordPress 3.6.1 Anti-serialization vulnerability. Magic Methods The PHP class may contain some special functions calledMagic function, the Magic function is named after the symbol "__" beginning, such as __construct, __destruct, __tostring, __sleep, __wakeup and so on. These functions are called automatically in some cases, such as: __construct when an object is created, and vice versa __destruct when an object is destroyed, calling the __sleep method is called when an object is serialized, __ The wakeup method is called when an object is deserialized __tostring when an object is used as a string, call name; Public Function __construct () {echo ' __construct ',} public function __destruct () {echo ' __destruct ';} public functio n __tostring () {return ' __tostring ';} public Function __sleep () {echo ' __sleep '; return Array (' name '), public functio n __wakeup () {echo ' __wakeup ';}} $USR = new info (); $usr->printdata (); echo $usr; $serialized = serialize ($USR); Echo $serialized; $unserialized Unserialize ($serialized); $unserialized->printdata ();? > This will output __constructchurch__tostring__sleepo:4: "Info": 1:{s:4: "Name"; S:6: "Church";} __wakeupchurch__destruct__destruct can clearly see these magic functions of the automatic call, similar magic method There are many, here is no longer listed. Exploit first to see a simple Demo:file) {include ($this->file);}} } $file = $_get["file"]; if (Isset ($file)) {echo unserialize ($file);}? > This code calls the Read class, and there is a file value that we can control, so construct theA payload:test.php?file=o:4 like this: "Read": 1:{s:4: "File"; s:11: "/etc/passwd";} Only one get request is required to read the file. Cve-2016-7124php a loophole in the previous period (PHP bugs 72663), when deserializing an object, if the property changes, it will cause the __wakeup () in the return 0 will not execute. In a nutshell, the __wakeup () method is skipped when the value of the number of object attributes in the serialized string is greater than the number of real attributes. Impact version PHP5 < 5.6.25, PHP7 < 7.0.10 wrote a simple demo: Normally after serialization $serialized is o:4: "Info": 1:{s:4: "Name"; S:6: "Church";} After execution, the result is that __wakeup__destruct can see that the __wakeup () method is called. The $serialized changed to look like this. O:4: "Info": 2:{s:4: "Name"; S:6: "Church";} After executing again, it is obvious that the __wakeup () method has been skipped this time because the value of the number of __destruct objects is greater than the number of real attributes. Vulnerability Case ANALYSIS: SugarCRM v6.5.23 PHP Anti-serialization Object Injection Vulnerability Analysis
PHP Deserialization Vulnerability