Hacking Book | Free Online Hacking Learning


vulnerability analysis of php class inheritance and global variable combination

Posted by patinella at 2020-03-13

A CMS changed and dug a hole for itself

0x00 causes

The younger martial brother in the group encountered an XSS vulnerability in a CMS while learning code audit. The problem is that the old version does not have this vulnerability, and it seems that it also calls related filter functions, but XSS is triggered.

After discussion and analysis, we found the mystery.

0x01 PHP class inheritance

The object-oriented features will not be described in more details. Take a look at the following example code.

Let's first write a basic class file base.class.php

The base class explicitly defines a constructor and calls its own filter function. Assuming that the filter function is SQL injection filter, since it has nothing to do with the problems we discussed, the code of filter function is not written here.

Next is the test function test.php

Explain this code. The web1 class inherits from the base class and rewrites the filter function in the parent class. At this time, the filter function has the function of XSS prevention. As a demonstration, here we simply use the htmlspecialchars function to filter.

Next, define the web2 class to inherit the web1 class, and have the method show to echo your own $name. In particular, web2 at this time will call Web3 class when constructing the generation.

The Web3 class is defined in web3.class.php. The code is as follows:

The Web3 class directly inherits from the base class. Therefore, when we call test.php to generate web2, there are actually multiple inheritance relationships as follows.

Among them, only the web1 class writes the method to filter XSS and calls test.php, which has the following output effect.

Obviously, after web1 filtering, XSS is not triggered, but if the global variable mechanism is introduced, let's take a look at the effect.

0x02 global variable

The codes of the modified documents are as follows:

No other code has been changed, but the previous class variables are replaced by global variables. The execution effect is as follows:

XSS was successfully executed after the filtering method was wrapped.

0x03 comparative analysis

Or back to the call relationship

We can know that when programmers write this code, they must be thinking of flexibly switching filtering methods among different classes by rewriting the base class method with web1.

When web2 is instantiated, web1 is instantiated first. Web1 instantiation will cause base instantiation, and then it is found that the filter function of the parent class is rewritten. Therefore, a new method of web1 is loaded. After web1 instantiation, it is found that Web3 is instantiated again in web2. The instantiation of Web3 causes base and parent method instantiation. Due to global variables, the re instantiated base is getting After taking variables, the original variables are overwritten, and the parent method at this time can't filter XSS. Finally, the unfiltered parameters output by web2 cause XSS vulnerability.

PS: a small correction method. If Web3 inherits from web1 at this time, it can guarantee the call of XSS filter function.