渗透某针对女性的杀猪盘

  • A+
所属分类:安全文章

不废话,直接进入正题。顺手输几个字符串使其报错。

渗透某针对女性的杀猪盘thinkphp5.0.5二次开发。无RCE,应该存在反序列化链,但要自己去审POP链出来,等找到反序列化入口再说。

注册一个账户登录,web页面为手机页面,可以使用F12的手机样式,更方便调试前端。

渗透某针对女性的杀猪盘

点客服,发现文件上传,直接上传文件,发现是图床服务器,遂放弃(此处忘记截图了)。

查看runtime目录,发现403,可能存在thinkphp日志泄露,此为路由配置不当导致。

渗透某针对女性的杀猪盘

渗透某针对女性的杀猪盘

下载日志,虽然未直接发现明文密码,但是发现后台地址以及cookie,直接登录。

渗透某针对女性的杀猪盘

渗透某针对女性的杀猪盘

会员等级处明显存在文件上传,但没有input表单

渗透某针对女性的杀猪盘

F12发现被注释掉了,去掉注释,尝试上传文件。

渗透某针对女性的杀猪盘

未限制文件后缀,但当我传php时,会拒绝连接

渗透某针对女性的杀猪盘

渗透某针对女性的杀猪盘

经过反复测试,需要<?=?>标签形式+免杀马+蚁剑/Godzilla,以及如下形式绕过waf。

filename=1.ph

p

最终getshell

渗透某针对女性的杀猪盘

由于disable_functions限制的比较死,也懒得获得bash,网上找了个php的zip打包,开始打包源码。

<?phpfunction createZip($from, $to) {    $return = array(        'success' => false,        'message' => '',        'data' => array(            'zipFile' => array(                'name' => '',                'path_relative' => '',                'path_absolute' => '',                'url' => '',                 'size' => '',                'exists_before' => false            )        )    );    if (!class_exists('ZipArchive')) {        $return['message'] = 'Missing ZipArchive module in server.';        return $return;    }    $zip = new ZipArchive();    if (!is_dir(dirname($to))) {        mkdir(dirname($to), 0755, TRUE);    }    if (is_file($to)) {        $return['data']['zipFile']['exists_before'] = true;        if ($zip->open($to, ZIPARCHIVE::OVERWRITE) !== TRUE) {            $return['message'] = "Cannot overwrite: {$to}";            return $return;        }    } else {        if ($zip->open($to, ZIPARCHIVE::CREATE) !== TRUE) {            $return['message'] = "Could not create archive: {$to}";            return $return;        }    }    $source_path_including_dir = array();    $prefix_relative_path_for_source = '';    if (is_array($from)) {        foreach ($from as $path) {            if (file_exists($path)) {                if ($prefix_relative_path_for_source == '') {                    $prefix_relative_path_for_source = (is_dir($path)) ? realpath($path) : realpath(dirname($path));                }                $source_path_including_dir[] = $path;            } else {                $return['message'] = 'No such file or folder: ' . $path;                return $return;            }        }    } elseif (file_exists($from)) {        $prefix_relative_path_for_source = (is_dir($from)) ? realpath($from) : realpath(dirname($from));        $source_path_including_dir[] = $from;    } else {        $return['message'] = 'No such file or folder: ' . $from;        return $return;    }    $prefix_relative_path_for_source = rtrim($prefix_relative_path_for_source, '/') . '/';    $final_list_of_files = array();    foreach ($source_path_including_dir as $path) {        if (is_file($path)) {            /* File */            $final_list_of_files[] = $path;        } else {            /* Folder */            $list_of_files = recursive_get_files_by_path_of_folder($path);            foreach ($list_of_files as $one) {                $final_list_of_files[] = $one;            }        }    }    if (!count($final_list_of_files)) {        $return['message'] = 'No valid file or folder used to zip';        return $return;    }      foreach ($final_list_of_files as $one_file) {        $zip->addFile($one_file, str_replace($prefix_relative_path_for_source, '', $one_file));    }    $zip->close();     $return['success'] = true;    $return['data']['zipFile']['name'] = pathinfo($to, PATHINFO_BASENAME);    $return['data']['zipFile']['path_relative'] = $to;    $return['data']['zipFile']['path_absolute'] = realpath($to);    $return['data']['zipFile']['size'] = number_format(abs(filesize($to) / 1024), 2) . ' KB';    return $return;}  function recursive_get_files_by_path_of_folder($dir, $is_tree = false) {    $files = array();    $dir = preg_replace('/[/]{1}$/i', '', $dir);    if (is_dir($dir)) {        if ($handle = opendir($dir)) {            while (($file = readdir($handle)) !== false) {                if ($file != "." && $file != "..") {                    if (is_dir($dir . "/" . $file)) {                        $sub_list = recursive_get_files_by_path_of_folder($dir . "/" . $file, $is_tree);                        if ($is_tree) {                            $files[$file] = $sub_list;                        } else {                            foreach ($sub_list as $one_sub_file) {                                $files[] = $one_sub_file;                            }                        }                    } else {                        $files[] = $dir . "/" . $file;                    }                }            }            closedir($handle);            return $files;        }    } else {        $files[] = $dir;        return $files;    }}   /************************************************ * 参数$from的可选形式: * $from = array('A.php', 'B.php', 'C.php', './folderName/') * $from = './folderName/'; * $from = 'xxx.txt'; */  $from = '/home/wwwroot/dongf/';$to = '/tmp/tmp.zip';$zip_result = createZip($from, $to);print_r($zip_result);


然后开始代码审计,但主要漏洞网上已经有人审过了,就不重复提了。

https://www.freebuf.com/articles/web/254396.html


/play/xgbank.php有着明显的SQL注入,可直接利用,无需账户。

渗透某针对女性的杀猪盘

渗透某针对女性的杀猪盘

渗透某针对女性的杀猪盘

渗透某针对女性的杀猪盘


/application/index/controller/Api.php存在SSRF,支持gopher,dict协议

渗透某针对女性的杀猪盘

渗透某针对女性的杀猪盘

至此渗透完毕。

本文始发于微信公众号(聚鼎安全):渗透某针对女性的杀猪盘

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: