MySQL 客户端触发读文件在PHP版本下的校验
date
Nov 18, 2021
slug
mysql-readfile-check-php
status
Published
tags
安全研究
PHP安全
summary
挖漏洞的时候突然想到这个点,想去测试一下,去探究一下到底在哪个版本这个东西被修复了,就无法触发读文件/反序列化了
type
Post
用的Mysqlist这个工具进行检验
测试demo:
<?php
class A {
public $s = '';
public function __wakeup () {
echo "pwned!!";
}
}
$m = mysqli_init();
mysqli_options($m, MYSQLI_OPT_LOCAL_INFILE, true);
$s = mysqli_real_connect($m, '127.0.0.1', 'root', '123456', 'test', 8887);
$p = mysqli_query($m, 'select 1;');
// file_get_contents('phar://./phar.phar');
众所周知,在PHP中,如果伪造的mysql服务可以让客户端读取本地文件,还可以让其读取phar连接的内容,来实现反序列化,只需要把file:///etc/passwd 改成 phar://xxx.phar 即可
这个文章测试一下在哪个版本下还能使用这个攻击
普通客户端5.7.29
可以触发(随便输密码):
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fd7428ff2-7329-445c-a09c-607e19df77d2%2FUntitled.png%3Fid%3De12c9778-09c5-46f9-9dc4-848c5e1d94f1%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722002400000%26signature%3Du5M9SHWMg5Ch2io11DR7qq0LhajBFQGYlJfZmD9yTNk?table=block&id=e12c9778-09c5-46f9-9dc4-848c5e1d94f1&cache=v2)
PHP 5.6
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F1e93650f-ffbb-4f20-8931-48ea3233c0e1%2FUntitled.png%3Fid%3D43bdfc07-de39-401c-99e2-6c4291bc8cbb%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722002400000%26signature%3DVz32sF4_wEBgHrgdbkqxmGVPzqqYvtrrXgnYF7W7mz4?table=block&id=43bdfc07-de39-401c-99e2-6c4291bc8cbb&cache=v2)
PHP 7.0.33
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F419e62f8-9c72-439d-bc5f-bcf4a812328c%2FUntitled.png%3Fid%3D4f191367-3c06-4a25-8e5d-40ea971accaf%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722002400000%26signature%3DKYN3wGUDnjRNrNs5AA0H35dPi1qbTOxtGo35cXiI8xk?table=block&id=4f191367-3c06-4a25-8e5d-40ea971accaf&cache=v2)
PHP 7.2.34
此时变成Not_Found,不可读了
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fb3b80222-433c-4b13-b965-55332f5705da%2FUntitled.png%3Fid%3Daacdcec4-0b0a-4028-a14f-0aab0cc87152%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722002400000%26signature%3D7vzvlQyqSRcljUHwev9UqhPRnattGH29cY3pHXNJe3I?table=block&id=aacdcec4-0b0a-4028-a14f-0aab0cc87152&cache=v2)
PHP 7.3.25
同样的结果,也不可读了
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F7461a126-de2d-4c88-b782-95bd03806364%2FUntitled.png%3Fid%3D24e84360-cd95-44b5-9e4a-a94e8c74f84b%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722002400000%26signature%3DTZj98xvO74JZxRZvBcU2XHRedapimoEj-ZUhQ9IYlUc?table=block&id=24e84360-cd95-44b5-9e4a-a94e8c74f84b&cache=v2)
总结
PHP7.2 版本以后(包括7.2),这个攻击手法不再有效果了