0. Foreword
I saw an interesting translation while browsing the Wuyun Knowledge Base: www.Bkjia.com
It’s talking about an injection method called object injection. Can objects also be injected?
Yes, nothing is impossible to inject as long as there is tainted data, but this vulnerability is a bit too weird for me to find interesting.
1. Principle
When writing a program, it is often necessary to serialize some runtime data. The so-called serialization is to write the runtime data to a local file in a certain format. In this way, the data can be saved locally. When used, the data generated during runtime can be read out by directly reading the file. In PHP, they are the serialize and unserialize functions.
The principle behind injection is that contaminated data is introduced during deserialization, such as:
$obj = unserialize($_GET[‘injection’]) ;
With this statement, we can construct it ourselves according to the format of the serialized data and get the object $obj we want.
Someone may ask, what is the use of just getting this object $obj? Let’s take a look at the following example first.
2. Scenario
This scene also comes from the demo in the translation, here is a restoration:
<!--?php header(Content-type:text/html;charset=UTF-8); // … 一些include ... class FileClass { // 文件名 public $filename = error.log; //当对象被作为一个字符串会读取这个文件 public function __toString() { echo filename发生了变化==--> . $this->filename ; return file_get_contents($this->filename) ; } } // Main User class class User { // Class data public $age = 0; public $name = ''; // 允许对象作为一个字符串输出上面的data public function __toString() { return 'User ' . $this->name . ' is ' . $this->age . ' years old. '; } } // 用户可控 $obj = unserialize($_GET['usr_serialized']); // 输出 __toString var_dump($obj) ; echo $obj; ?>
The above code obtains a serialized data from user-controllable data, and then calls the unserialize method to deserialize $_GET['usr_serialized'], then this $obj can be controlled by us.
The normal way is to submit:
http://127.0.0.1/code/objin.php?usr_serialized=O:4:User:2:{s:3:age;i:20;s:4:name;s:4:John; }
The above serialized data is an object of User class, where $age=20, $name=John.
At this time, echo $obj; directly echo the object, you can call the magic method __toString. This magic method has been overloaded in the User class, that is, it outputs a string. The operation effect is as follows:
The above code obtains a serialized data from user-controllable data, and then calls the unserialize method to deserialize $_GET['usr_serialized'], then this $obj can be controlled by us.
The normal way is to submit:
http://127.0.0.1/code/objin.php?usr_serialized=O:4:User:2:{s:3:age;i:20;s:4:name;s:4:John; }
The above serialized data is an object of User class, where $age=20, $name=John.
At this time, echo $obj; directly echo the object, you can call the magic method __toString. This magic method has been overloaded in the User class, that is, it outputs a string. The operation effect is as follows:
3. Vulnerability mining
This type of vulnerability is quite hidden, but once it appears, it is very effective. The main purpose of mining is to find out whether the parameters in the unserialize function are contaminated data. Find the corresponding control location, and then see which class can be used to complete our attack, such as the FileClass class in this scenario.