Click blue words to get more dry goods
One
Preface
PHP variable coverage generally refers to a vulnerability that uses custom variables to replace the original variable values of a program. This vulnerability itself will not cause too much vulnerability. However, PHP variable coverage often leads to changes in the execution logic of the program, changes in the original security mechanism of the program, and other security problems. This paper first introduces some common scenarios of variable coverage, and then through a code audit example, introduces how to use it.
Two
Variable coverage principle
The common scenario of code audit is that the following keywords appear in the code:
Ø register_globals=on
Ø extract() function
Ø parse Ø str() function
Import request variables() function
O $$
One
register_globals
Register "globals" refers to registering the passed value as a global variable, so when on, the passed value will be directly registered as a global variable, and when off, we need to get it in a specific array.
When off
When it is on (PHP starts from version 4.2 and sets the default value of register ﹣ globals to off; it starts to be discarded from version 5.3 and is removed from version 5.4, so it can run successfully only when PHP < = 5.3)
In this way, you can register a previously undeclared variable with the program, but if the previous variable already exists, it cannot be overwritten, as shown below
Two
Extract
The extract() function imports variables from an array into the current symbol table. This function uses array key name as variable name and array key value as variable value. For each element in the array, a corresponding variable is created in the current symbol table. The extract function takes three parameters and returns the number of variables successfully imported into the symbol table.
Sample code and running results
It can be seen that the values of variables a, B and C have been overwritten, even if they have been declared before. This is related to the second parameter. If you select extr? Skip, it will not be overwritten
Three
Parse_str
The parse_str() function parses the query string into a variable. This function takes two parameters
Sample code and running results
If the array parameter is not set, the variable set by the function will overwrite the existing variable with the same name.
Four
import_request_variables
Import ﹣ request ﹣ variables imports get / post / cookie variables into the global scope. Even if register ﹣ globals is turned off, it still takes effect. It takes two parameters,
$types refers to variable type and get / post / cookie. Generally, the first character (GPC) is used to indicate case insensitive. When $type = GP, the post variable will overwrite the get variable with the same name. $prefix indicates variable prefix, sample code and running result
Five
$$
Use foreach to traverse the values in the array, and then take the acquired array key name as the variable, and the key value in the array as the value of the variable. This will cause declared or undeclared values to be overwritten, sample code, and run results.
Three
Code audit instance
One
Essential information
Name: Metinfo CMS 5.3
Introduction: Metinfo is a visual operation, SEO is very friendly, full-featured, PHP + MySQL architecture, multi language, responsive display, suitable for enterprise and company website construction CMS station building system. In version 5. X of this CMS, there are fundamental defects in the system architecture, resulting in frequent vulnerabilities. One of them is the structure of using foreach assignment in the fifth part of the previous section, which leads to the risk of variable coverage in a large number of codes. The newly released version 6.0 has been refactored to fix most of the known security vulnerabilities.
Two
Variable coverage
/Include / common.inc.php is the core public file. There is a section of code on lines 25 to 40 to assign variables to the incoming cookie, get and post parameters
This is actually a writing method that can easily cause variable coverage. Any variable declared or undeclared before this code will be covered if it is not reassigned after this code. The experiment is as follows
Variable coverage at this point can cause many other security problems.
Three
Password Reset
Metinfo has the function of administrator password reset, which can get the password reset link due to variable override.
The file related to password retrieval is admin / admin / getpassword.php
The first ten lines are to query the configuration information from the database and assign it to variables. At the same time, you can see that the common.inc.php file is introduced. The switch statement on line 47 is the logic control statement for password retrieval
The first step is to select (NEXT1) to select the method of password retrieval. The default is to retrieve the email. The second step (next2) is to execute from line 92. The first large section is the statement of splicing the packets. The email is sent from line 143
If jmailsend function fails to send, enter the following if statement to send using curl ﹣ post function, and enter curl ﹣ post function in the file / include / export.func.php
Where $post is the email content that failed to be sent successfully, and then the email content will be sent to the address specified by $met host When the value of the program is specified as app.metinfo.cn, it should be a mail forwarding server officially set by Metinfo. When the mail server set by the webmaster itself does not work, first send the mail content to this server through HTTP request, and then send the password reset mail from this server. However, the value of $met_host can be set arbitrarily due to variable override, and the content of password reset email can be sent to the server we specified. If jmailsend fails to send, let's take a look at the jmailsend function in the file / include / jmail.php.
Our purpose is to make this function return false. Here, we also use the method of variable coverage to make use of it. In line 19, you can see that the mail is sent according to the port specified by $met FD port. If this variable is overridden, the mail will fail to be sent. First, set the listening port on the server. The default port is 80
Then the structure is as follows: payload
Click send to receive the email content on your own server, including the password reset link
Open the link as follows
Four
Getshell- CVE-2017-11347
The vulnerability file is located in admin / APP / physical / physical.php
The code determines the subsequent execution logic based on the value of $action,
When $action is equal to OP and the value of $op of the subsequent switch statement is 3, enter the following statement
Then the switch statement is controlled according to $Val to determine the value of $address.
Then follow up the copyfile function at / admin / include / global.func.php
It writes $oldcon to the new file $newfile, which contains
You can see that it uses require once '$address'; which contains the value of $address. Then we go back to the $newfile and $address values, where $newfile gets the value from the $Val array at 256 lines and $address gets the value from the case statement at 236 to 252 lines. The $Val array is generated in 186 lines, and is cut into an array by the $valphy variable. The $valphy can be overridden by the variable, which results in the whole statement can be controlled later. First, $action = OP and $OP = 3, and then according to the 186 line statement $valphy, we need to construct the following form $valphy = test|123 / shell.php, so $Val becomes an array of length 2, and $address can not get the value in the 236-252 line case statement, which can also be overwritten. So we can first upload a shell with a normal file suffix, then assign its address to $address, and the generated new file shell.php will call it.
Then the structure is as follows: payload
http://127.0.0.1/MetInfo5.3//admin/app/physical/physical.php?action=op&op=3&valphy=test|123/shell.php&address=../upload/201803/1521469553138949.jpg
Then it will generate shell.php in directory 123
Four
statement
This paper aims to popularize network security knowledge, improve the security awareness of small partners, and introduce the characteristics of common vulnerabilities, mining techniques, etc. It is hereby declared that the reader shall be responsible for the consequences of his / her acts endangering the network security, which have nothing to do with hetianzhihui and himself / herself.
special
this
through
know
The results of the first quarter of 2018 will be published in April!
At that time, three awards will be selected, with a total of 15 original authors!
- Active participation Award
Active participation Award
- Best literary talent award
Best literary talent award
- Best author Award
Best author Award
Rich gifts are waiting for you, come to actively participate in the contribution!
Great reward | Hetian's original contribution waiting for you! (click for details)
He tianzhihui
Website: www.heatian.com
Tel: 4006-123-731
Long press the picture, it is said that only those with high appearance value can recognize it