title: 2022第五空间网络安全初赛.md
date: 2022-09-20 11:06:40
tags:
2022 第五空间网络安全初赛
5_web_BaliYun
简单的文件上传
刚开始别人出的很快就以为是不同的文件上传 但是自己绕过饶了半天传不上去
后来发现源代码ww.zip
审计代码
<!DOCTYPE html>
<html>
<head>
<title>BaliYun图床</title>
<link rel="stylesheet" href="css/style.css">
<link href='//fonts.googleapis.com/css?family=Open+Sans:400,300italic,300,400italic,600,600italic,700,700italic,800,800italic' rel='stylesheet' type='text/css'>
<link href='//fonts.googleapis.com/css?family=Montserrat:400,700' rel='stylesheet' type='text/css'>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="keywords" content="File Upload widget Widget Responsive, Login Form Web Template, Flat Pricing Tables, Flat Drop-Downs, Sign-Up Web Templates, Flat Web Templates, Login Sign-up Responsive Web Template, Smartphone Compatible Web Template, Free Web Designs for Nokia, Samsung, LG, Sony Ericsson, Motorola Web Design" />
<script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLbar, 0); }, false); function hideURLbar(){ window.scrollTo(0,1); } </script>
</head>
<body>
<h1>BaliYun图床</h1>
<div class="agile-its">
<h2>Image Upload</h2>
<div class="w3layouts">
<div class="photos-upload-view">
<form action="index.php" method="post" enctype="multipart/form-data">
<label for="file">选择文件</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</form>
<div id="messages">
<p>
<?php
include("class.php");
if(isset($_GET['img_name'])){
$down = new check_img();
echo $down->img_check();
}
if(isset($_FILES["file"]["name"])){
$up = new upload();
echo $up->start();
}
?>
</p>
</div>
</div>
<div class="clearfix"></div>
<script src="js/filedrag.js"></script>
</div>
</div>
<div class="footer">
<p> Powerded by <a href="http://w3layouts.com/">ttpfx de BaliYun图床</a></p>
</div>
<script type="text/javascript" src="js/jquery.min.js"></script>
</div>
</body>
</html>
包含了class.php
class.php
<?php
class upload{
public $filename;
public $ext;
public $size;
public $Valid_ext;
public function __construct(){
$this->filename = $_FILES["file"]["name"];
$this->ext = end(explode(".", $_FILES["file"]["name"]));
$this->size = $_FILES["file"]["size"] / 1024;
$this->Valid_ext = array("gif", "jpeg", "jpg", "png");
}
public function start(){
return $this->check();
}
private function check(){
var_dump($this->filename);
if(file_exists($this->filename)){
return "Image already exsists";
}elseif(!in_array($this->ext, $this->Valid_ext)){
return "Only Image Can Be Uploaded";
}else{
var_dump($this->filename);
return $this->move();
}
}
private function move(){
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$this->filename);
//phpinfo();
return "Upload succsess!";
}
public function __wakeup(){
echo "12ehdwugfuwegfufffffdjaseiwhfishfiuusehfi";
phpinfo();
echo file_get_contents($this->filename);
}
}
class check_img{
public $img_name;
public function __construct(){
$this->img_name = $_GET['img_name'];
}
public function img_check(){
if(file_exists($this->img_name)){
return "Image exsists";
}else{
return "Image not exsists";
}
}
}
public function __wakeup(){
echo "12ehdwugfuwegfufffffdjaseiwhfishfiuusehfi";
phpinfo();
echo file_get_contents($this->filename);
}
看到这个__wakeup并且有类 但是没有unserliaze函数
不久纯纯的phar发反序列化触发嘛
然后审计一下
先看index.php
包含了class.php
然后如果存在get传参img_name的话就实例化check_img类
$this->img_name就是我们get传参的参数
然后调用img_check函数如果存在的话返回文件存在
不存在的话返回不存在
如果存在上传文件
实例化upload类
经过了一些对文件的操作,这些都不重要我们想要的是触发__wakeup函数
如何触发__wakeup呢 就是触发反序列化呗
如何触发反序列化呢 一些文件操作函数 如果用phar伪协议去读phar文件就会触发反序列化
这里输出的是
所以我们写phar文件的时候就把filenam赋值为flag就可 这里我在本机windows里面复现的
