php-security-calendar-2017
1-
class Challenge {
const UPLOAD_DIRECTORY = './solutions/';
private $file;
private $whitelist;
public function __construct($file) {
$this->file = $file;
$this->whitelist = range(1, 24);
}
public function __destruct() {
if (in_array($this->file['name'], $this->whitelist)) {
move_uploaded_file(
$this->file['tmp_name'],
self::UPLOAD_DIRECTORY . $this->file['name']
);
}
}
}
$challenge = new Challenge($_FILES['solution']);
in_array函数检测上传文件名字时,第三个参数如果没有写默认都会进行弱比较,如此段demo,对上传的文件名进行判断是否为数字,利用弱比较可以上传一个名为 1wa1ki0g.php 的文件拿shell.
2-
// composer require "twig/twig"
require 'vendor/autoload.php';
class Template {
private $twig;
public function __construct() {
$indexTemplate = '<img ' .
'src="https://loremflickr.com/320/240">' .
'<a href="{{link|escape}}">Next slide »</a>';
// Default twig setup, simulate loading
// index.html file from disk
$loader = new Twig\Loader\ArrayLoader([
'index.html' => $indexTemplate
]);
$this->twig = new Twig\Environment($loader);
}
public function getNexSlideUrl() {
$nextSlide = $_GET['nextSlide'];
return filter_var($nextSlide, FILTER_VALIDATE_URL);
}
public function render() {
echo $this->twig->render(
'index.html',
['link' => $this->getNexSlideUrl()]
);
}
}
(new Template())->render();
filter_var函数中的第二个参数:FILTER_VALIDATE_URL:把值作为 URL 来验证
payload为:javascript://test%250aalert(1)
上面payload中,//是单行注释,%25是%的url编码(直接在url上面%会变成%25),%0a是换行符,这样alert(1)就在下一行,没有被注释,js语句成功被执行。