Parsing a PHP object injection vulnerability

Source: Internet
Author: User
Tags format object return string knowledge base
??

0. Preface

Looking at the dark cloud Knowledge base, I saw an interesting translation: www.2cto.com

is a kind of injection, called object injection. Objects can also be injected?

Yes, as long as there is pollution data, nothing is impossible to inject, but this loophole is a bit too weird, so I find it interesting.

1. Principle

When the program is written, it is often necessary to serialize some run-time data, the so-called serialization is in a certain format to write run-time data to local files. This allows the data to be stored locally, when used directly read the file can read the runtime generated data. In PHP is the serialize and unserialize functions.

The principle of being able to inject is to introduce pollution data when deserializing, for example:

$obj = unserialize ($_get[' injection '));

With this statement, we can construct ourselves according to the format of the serialized data, and get the object $obj we want.

Someone is going to ask, you just get this object $obj what's the use? Let's take a look at the example below.

2. Scene

This scenario is also derived from the demo in the translation, here to restore:


 
  . $this->filename;
        Return file_get_contents ($this->filename);                
    }
 
Main User Class
 
class user
{
    //class Data public
 
    $age = 0;
    Public $name = ';
 
    Allows an object to output the above data public
 
    function __tostring () as a string ()
    {return
        ' User '. $this->name. ' Is '. $this->age. ' Years old. 
';
    }
 
User controllable
 
$obj = unserialize ($_get[' usr_serialized '));
 
Output __tostring
var_dump ($obj);
echo $obj;

? >

The above code gets a serialized data from the user-controllable data, and then calls the Unserialize method to deserialize the $_get[' usr_serialized ', then the $obj can be controlled by us.

The normal way is to submit:

Http://127.0.0.1/code/objin.php?usr_serialized=o:4:user:2:{s:3:age;i:20;s:4:name;s:4:john;}

The serialized data above is an object of the user class, where $age=20, $name =john.

At this point, echo $obj, direct echo object, can invoke Magic method __tostring, in the user class has been overloaded with this magic method, that is, output a string, the effect is as follows:

The above code gets a serialized data from the user-controllable data, and then calls the Unserialize method to deserialize the $_get[' usr_serialized ', then the $obj can be controlled by us.

The normal way is to submit:

Http://127.0.0.1/code/objin.php?usr_serialized=o:4:user:2:{s:3:age;i:20;s:4:name;s:4:john;}

The serialized data above is an object of the user class, where $age=20, $name =john.

At this point, echo $obj, direct echo object, can invoke Magic method __tostring, in the user class has been overloaded with this magic method, that is, output a string, the effect is as follows:

3, Hole Mining

This kind of loophole is quite covert, but once the effect is in place. Mining is mainly to find out whether the parameters of the Unserialize function is contaminated data. Find the appropriate control position and see which class can be used to complete our attack, such as the Fileclass class in this scenario.



Related Article

Alibaba Cloud 10 Year Anniversary

With You, We are Shaping a Digital World, 2009-2019

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.