Parsing PHP Object Injection Vulnerability _php Tutorial

Parsing a PHP object injection vulnerability

??

0. Preface

When you visit the cloud Knowledge Base, you see an interesting translation: www.Bkjia.com

is an injection, called an object injection. Objects can also be injected?

Yes, as long as there is pollution data, nothing is impossible to inject, but this loophole is a bit too weird, so I find it interesting.

1. Principle

At the time of program writing, it is often necessary to serialize some runtime data, so-called serialization is to write the runtime data to a local file in a certain format. This allows the data to be saved locally, and the data generated by the runtime can be read out when the file is read directly. In PHP is the serialize and unserialize functions.

The principle of being able to inject is caused by the introduction of pollution data when deserializing, such as:

$obj = unserialize ($_get[' injection ');

With this statement, we can construct ourselves in the format of the serialized data to get the object $obj we want.

Someone is going to ask, you just get this object $obj what's the use? Let's take a look at the following example.

2. Scenario

This scenario is also derived from the translation of the demo, here to restore:

 
  . $this->filename;        Return file_get_contents ($this->filename);}                    } Main User class class user{    //class Data public     $age = 0;    Public $name = ';     Allows the object to output the above data public     function __tostring ()    {        return ' User ' as a string. $this->name. ' Is '. $this->age. ' Years old. ';    }} User controllable $obj = unserialize ($_get[' usr_serialized '); Output __tostringvar_dump ($obj); Echo $obj;? >

The code above is to get a serialized data from user-controllable data, and then call the Unserialize method to deserialize $_get[' usr_serialized ', then this $obj can be controlled by us.

The normal way is to submit:

Http://127.0.0.1/code/objin.php?usr_serialized=o:4:user:2:{s:3:age;i:20;s:4:name;s:4:john;}

The above serialized data is an object of the user class, where $age=20, $name =john.

At this point, Echo $obj, the direct Echo object, you can call the Magic method __tostring, in the user class has been overloaded with this magic method, that is, the output of a string, the effect is as follows:

The code above is to get a serialized data from user-controllable data, and then call the Unserialize method to deserialize $_get[' usr_serialized ', then this $obj can be controlled by us.

The normal way is to submit:

Http://127.0.0.1/code/objin.php?usr_serialized=o:4:user:2:{s:3:age;i:20;s:4:name;s:4:john;}

The above serialized data is an object of the user class, where $age=20, $name =john.

At this point, Echo $obj, the direct Echo object, you can call the Magic method __tostring, in the user class has been overloaded with this magic method, that is, the output of a string, the effect is as follows:

3. Exploit mining

This kind of loophole is quite covert, but once the effect is in place. Mining is mainly to find out whether the parameters in the Unserialize function are pollution data. Find the appropriate control position and see which class can be used to complete our attack, such as the Fileclass class in this scenario.

http://www.bkjia.com/PHPjc/953320.html www.bkjia.com true http://www.bkjia.com/PHPjc/953320.html techarticle parsing a PHP object injection vulnerability? 0, preface to visit the Dark cloud Knowledge base when you see an interesting translation: Www.Bkjia.com said is an injection method, called the object injection. Objects can also be injected? ...

