The three white hat challenges, the third phase, are simple ideas (the first touch with php deserialization), and the third phase, three white hats. for some reason, I will only talk about the general ideas, so I will not talk about them in detail. This is the first time that deserialization is involved. I feel that I have learned a new posture. Haha
1. the interface remains unchanged. Register the user and log on to the system.
2. select the control panel after logging in. one is the panel option of the administrator and the other is the panel option of the common member. Obviously, excessive permission is required.
3. directly use 0x based on tips to escalate permissions to the administrator.
4. go to the administrator's interface and edit the article and search options. from the code point of view, there is obviously an injection.
5. prepare to use injection to write shel, and find that mysql has insufficient permissions. the web Directory cannot be written, and other directories can be written.
6. get a reminder from a cow in the group to deserialize and instantly understand. I read some deserialization data and carefully read the analysis of the deserialization vulnerability of joomla of p.
7. then the audit code clearly found the vulnerability trigger point.
The path is cach/md5(username.txt
The general meaning of this part of the code is that after the user logs on, the content in the path file will be deserialized, The Destructor _ destruct () the previous variables will be serialized into strings immediately. And then write it to the path.
8,
In fact, the general idea at this time is clear. Write your md5(usernamecmd.txt) file to the cached directory, which is a serialized string. Include path, and the value of path is the absolute path of your sentence, then add a variable name in the content, and then the content is a sentence. be careful when making this string, the format requirements are very strict. Otherwise, I will get a lot of errors. we recommend that you check the serialized documents.
Here is a demo.
X: I: 3; a: 0: {}; m: a: 2: {s: 4: "path"; s: 36: "/var/www/html/public/upload/xxxx. php "; s: 4:" test "; s: 24 :" ";}
It's probably long. you can change it to another one.
After writing, when the constructor deserializes, $ path is already/var/www/html/public/upload/xxxx. php. $ After the cache is serialized, x: I: 3; a: 0: {}; m: a: 2: {s: 4: "path"; s: 36: "/var/www/html/public/upload/xxxx. php "; s: 4:" test "; s: 24 :" ";} Now, after the file_put_cntents function, a PHP file containing one sentence is written to the public/upload directory.
Here are two points:
1. username must have not been registered, because if you have registered it, the file in the cache will exist, and cannot be written with SQL injection. Enter the md5(unregistered usernamepolic.txt, and then register the username. This way, you can load it to the file you write.
2. write the file in hexadecimal notation instead of the string ';', and do not use union select 1, xxxxx, 3, this will write numbers into the file, and deserialization requires no strings with dirty data, so writing deserialization will fail. Therefore, it is recommended that the union select 0 xxxxxx, '','' statement be better written in this way, and I am stuck here again.
It's easy to write, and there may be something wrong with it. sorry.