不废话,直接进入正题。顺手输几个字符串使其报错。
thinkphp5.0.5二次开发。无RCE,应该存在反序列化链,但要自己去审POP链出来,等找到反序列化入口再说。
注册一个账户登录,web页面为手机页面,可以使用F12的手机样式,更方便调试前端。
点客服,发现文件上传,直接上传文件,发现是图床服务器,遂放弃(此处忘记截图了)。
查看runtime目录,发现403,可能存在thinkphp日志泄露,此为路由配置不当导致。
下载日志,虽然未直接发现明文密码,但是发现后台地址以及cookie,直接登录。
会员等级处明显存在文件上传,但没有input表单
F12发现被注释掉了,去掉注释,尝试上传文件。
未限制文件后缀,但当我传php时,会拒绝连接
经过反复测试,需要<?=?>标签形式+免杀马+蚁剑/Godzilla,以及如下形式绕过waf。
filename=1.ph
p
最终getshell
由于disable_functions限制的比较死,也懒得获得bash,网上找了个php的zip打包,开始打包源码。
function createZip($from, $to) {$return = array('success' => false,'message' => '','data' => array('zipFile' => array('name' => '','path_relative' => '','path_absolute' => '','url' => '','size' => '','exists_before' => false)));if (!class_exists('ZipArchive')) {$return['message'] = 'Missing ZipArchive module in server.';return $return;}$zip = new ZipArchive();if (!is_dir(dirname($to))) {mkdir(dirname($to), 0755, TRUE);}if (is_file($to)) {$return['data']['zipFile']['exists_before'] = true;if ($zip->open($to, ZIPARCHIVE::OVERWRITE) !== TRUE) {$return['message'] = "Cannot overwrite: {$to}";return $return;}} else {if ($zip->open($to, ZIPARCHIVE::CREATE) !== TRUE) {$return['message'] = "Could not create archive: {$to}";return $return;}}$source_path_including_dir = array();$prefix_relative_path_for_source = '';if (is_array($from)) {foreach ($from as $path) {if (file_exists($path)) {if ($prefix_relative_path_for_source == '') {$prefix_relative_path_for_source = (is_dir($path)) ? realpath($path) : realpath(dirname($path));}$source_path_including_dir[] = $path;} else {$return['message'] = 'No such file or folder: ' . $path;return $return;}}} elseif (file_exists($from)) {$prefix_relative_path_for_source = (is_dir($from)) ? realpath($from) : realpath(dirname($from));$source_path_including_dir[] = $from;} else {$return['message'] = 'No such file or folder: ' . $from;return $return;}$prefix_relative_path_for_source = rtrim($prefix_relative_path_for_source, '/') . '/';$final_list_of_files = array();foreach ($source_path_including_dir as $path) {if (is_file($path)) {/* File */$final_list_of_files[] = $path;} else {/* Folder */$list_of_files = recursive_get_files_by_path_of_folder($path);foreach ($list_of_files as $one) {$final_list_of_files[] = $one;}}}if (!count($final_list_of_files)) {$return['message'] = 'No valid file or folder used to zip';return $return;}foreach ($final_list_of_files as $one_file) {$zip->addFile($one_file, str_replace($prefix_relative_path_for_source, '', $one_file));}$zip->close();$return['success'] = true;$return['data']['zipFile']['name'] = pathinfo($to, PATHINFO_BASENAME);$return['data']['zipFile']['path_relative'] = $to;$return['data']['zipFile']['path_absolute'] = realpath($to);$return['data']['zipFile']['size'] = number_format(abs(filesize($to) / 1024), 2) . ' KB';return $return;}function recursive_get_files_by_path_of_folder($dir, $is_tree = false) {$files = array();$dir = preg_replace('/[/]{1}$/i', '', $dir);if (is_dir($dir)) {if ($handle = opendir($dir)) {while (($file = readdir($handle)) !== false) {if ($file != "." && $file != "..") {if (is_dir($dir . "/" . $file)) {$sub_list = recursive_get_files_by_path_of_folder($dir . "/" . $file, $is_tree);if ($is_tree) {$files[$file] = $sub_list;} else {foreach ($sub_list as $one_sub_file) {$files[] = $one_sub_file;}}} else {$files[] = $dir . "/" . $file;}}}closedir($handle);return $files;}} else {$files[] = $dir;return $files;}}/************************************************* 参数$from的可选形式:* $from = array('A.php', 'B.php', 'C.php', './folderName/')* $from = './folderName/';* $from = 'xxx.txt';*/$from = '/home/wwwroot/dongf/';$to = '/tmp/tmp.zip';$zip_result = createZip($from, $to);print_r($zip_result);
然后开始代码审计,但主要漏洞网上已经有人审过了,就不重复提了。
https://www.freebuf.com/articles/web/254396.html
/play/xgbank.php有着明显的SQL注入,可直接利用,无需账户。
/application/index/controller/Api.php存在SSRF,支持gopher,dict协议
至此渗透完毕。
本文始发于微信公众号(聚鼎安全):渗透某针对女性的杀猪盘
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论