PHP Challenge 2015

0x00背景

在乌云上看到PHP Challenge 2015,深感兴趣,但并无思路,直到看了@Ryat大牛的微博才知道答案。

0x01PHP bug

先贴出代码吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<?php

/*******************************************************************
* PHP Challenge 2015
*******************************************************************
* Why leave all the fun to the XSS crowd?
*
* Do you know PHP?
* And are you up to date with all its latest peculiarities?
*
* Are you sure?
*
* If you believe you do then solve this challenge and create an
* input that will make the following code believe you are the ADMIN.
* Becoming any other user is not good enough, but a first step.
*
* Attention this code is installed on a Mac OS X 10.9 system
* that is running PHP 5.4.30 !!!
*
* TIPS: OS X is mentioned because OS X never runs latest PHP
* Challenge will not work with latest PHP
* Also challenge will only work on 64bit systems
* To solve challenge you need to combine what a normal
* attacker would do when he sees this code with knowledge
* about latest known PHP quirks
* And you cannot bruteforce the admin password directly.
* To give you an idea - first half is:
* orewgfpeowöfgphewoöfeiuwgöpuerhjwfiuvuger
*
* If you know the answer please submit it to info@sektioneins.de
********************************************************************/


$users = array(
"0:9b5c3d2b64b8f74e56edec71462bd97a" ,
"1:4eb5fb1501102508a86971773849d266",
"2:facabd94d57fc9f1e655ef9ce891e86e",
"3:ce3924f011fe323df3a6a95222b0c909",
"4:7f6618422e6a7ca2e939bd83abde402c",
"5:06e2b745f3124f7d670f78eabaa94809",
"6:8e39a6e40900bb0824a8e150c0d0d59f",
"7:d035e1a80bbb377ce1edce42728849f2",
"8:0927d64a71a9d0078c274fc5f4f10821",
"9:e2e23d64a642ee82c7a270c6c76df142",
"10:70298593dd7ada576aff61b6750b9118"
);

$valid_user = false;

$input = $_COOKIE['user'];

$input[1] = md5($input[1]);

foreach ($users as $user)
{
$user = explode(":", $user);
echo 'user = '.$user;
if ($input === $user) {
$uid = $input[0] + 0;
$valid_user = true;
}
}

if (!$valid_user) {
die("not a valid user\n");
}

if ($uid == 0) {

echo "Hello Admin How can I serve you today?\n";
echo "SECRETS ....\n";

} else {
echo "Welcome back user\n";
}

?>

按照Ryat的提示,找到(https://bugs.php.net/bug.php?id=69892)

1
2
3
4
5
Bug #69892 	Different arrays compare indentical due to integer key truncation
Description:
------------
var_dump([0 => 0] === [0x100000000 => 0]); // bool(true)
on all versions: http://3v4l.org/Sjdf8

integer类型的key截断导致不同的数组比较结果相同。我们去看看PHP源码中的相关片段,在Zend/zend_hash.c:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
//php5.2.14
ZEND_API int zend_hash_compare(HashTable *ht1, HashTable *ht2, compare_func_t compar, zend_bool ordered TSRMLS_DC)
{

Bucket *p1, *p2 = NULL;
int result;
void *pData2;

IS_CONSISTENT(ht1);
IS_CONSISTENT(ht2);

HASH_PROTECT_RECURSION(ht1);
HASH_PROTECT_RECURSION(ht2);

result = ht1->nNumOfElements - ht2->nNumOfElements;
if (result!=0) {
HASH_UNPROTECT_RECURSION(ht1);
HASH_UNPROTECT_RECURSION(ht2);
return result;
}

p1 = ht1->pListHead;
if (ordered) {
p2 = ht2->pListHead;
}

while (p1) {
if (ordered && !p2) {
HASH_UNPROTECT_RECURSION(ht1);
HASH_UNPROTECT_RECURSION(ht2);
return 1; /* That's not supposed to happen */
}
if (ordered) {
if (p1->nKeyLength==0 && p2->nKeyLength==0) { /* numeric indices */
result = p1->h - p2->h;
if (result!=0) {
HASH_UNPROTECT_RECURSION(ht1);
HASH_UNPROTECT_RECURSION(ht2);
return result;
}
} else { /* string indices */
result = p1->nKeyLength - p2->nKeyLength;
if (result!=0) {
HASH_UNPROTECT_RECURSION(ht1);
HASH_UNPROTECT_RECURSION(ht2);
return result;
}
result = memcmp(p1->arKey, p2->arKey, p1->nKeyLength);
if (result!=0) {
HASH_UNPROTECT_RECURSION(ht1);
HASH_UNPROTECT_RECURSION(ht2);
return result;
}
}
pData2 = p2->pData;
} else {
if (p1->nKeyLength==0) { /* numeric index */
if (zend_hash_index_find(ht2, p1->h, &pData2)==FAILURE) {
HASH_UNPROTECT_RECURSION(ht1);
HASH_UNPROTECT_RECURSION(ht2);
return 1;
}
} else { /* string index */
if (zend_hash_quick_find(ht2, p1->arKey, p1->nKeyLength, p1->h, &pData2)==FAILURE) {
HASH_UNPROTECT_RECURSION(ht1);
HASH_UNPROTECT_RECURSION(ht2);
return 1;
}
}
}
result = compar(p1->pData, pData2 TSRMLS_CC);
if (result!=0) {
HASH_UNPROTECT_RECURSION(ht1);
HASH_UNPROTECT_RECURSION(ht2);
return result;
}
p1 = p1->pListNext;
if (ordered) {
p2 = p2->pListNext;
}
}

HASH_UNPROTECT_RECURSION(ht1);
HASH_UNPROTECT_RECURSION(ht2);
return 0;
}

关键在34行:

1
2
3
4
5
6
7
if (p1->nKeyLength==0 && p2->nKeyLength==0) { /* numeric indices */
result = p1->h - p2->h; //这里喔
if (result!=0) {
HASH_UNPROTECT_RECURSION(ht1);
HASH_UNPROTECT_RECURSION(ht2);
return result;
}

当数组的key为integer进到这里,比较他们的key是否相同,p1和p2是PHP的bucket结构体,其中h保存着数组的key。bucket结构如下:

1
2
3
4
5
6
7
8
9
10
11
12
//location:Zend/zend_hash.h
typedef struct bucket {
ulong h; /* Used for numeric indexing */
uint nKeyLength;
void *pData;
void *pDataPtr;
struct bucket *pListNext;
struct bucket *pListLast;
struct bucket *pNext;
struct bucket *pLast;
char arKey[1]; /* Must be last element */
} Bucket;

可以看出h是ulong,ulong是一个unsigned long,如下:

1
typedef unsigned long ulong;

看到这里不知道大家有没有看出问题?注意喔,保存p1和p2差值的变量是result,而result是int型变量,这就导致了在64位系统中,unsigned long是64位整型,而int是32位整型,类型的不同出现问题。程序会将p1->h - p2->h的结果强制转换为int,我们都知道unsigned long转int会截取低4个字节。所以只需要让unsigned long的低4字节为0,它转换后的int就为0。比如我们将二进制10000000000000000000000000000000000000转换为十进制137438953472,那么137438953472转为int就为0。

0x02分析

现在再来看看这个php代码吧,前面的那个bug利用前提是数组的value相同,key不同,所以首先需要匹配一个md5出来,我在cmd5试了这10个md5,只有第五个06e2b745f3124f7d670f78eabaa94809能解出,原文是hund。于是首先写入cookie:Cookie: user[0]=5;user[1]=hund; 程序会进入58行,验证通过,$valid_user被改为true,这个时候输出为Welcome back user。到了这一步答案已经很接近了,只需要将$uid改为0即可。现在试试前面提到的漏洞,我们写入cookie:Cookie: user[137438953472]=5;user[1]=hund; 这个时候因为之前提到的漏洞,程序还是会进入58行,因为$input[0]未赋值,所以为NULL,在PHP中0+NULL=0,故成功将$uid改为0。

0x03最后

成功